On 14.11.2014 01:29, Benjamin Peterson wrote:
> 
> But you can reenable SSLv3 by alerting the context and monkeypatching as described in the PEP.

Well, I can monkeypatch the ssl module of course, but that's
not really the point here. I'm not talking about whether I can fix this
for myself or not.

The point here is that PEP 476 only addresses certificate validation, not
disabling of SSLv3 support.

AFAIK, there has been no discussion about this removal on python-dev or
in a PEP. The only place I found some discussion was on
http://bugs.python.org/issue22638, but that's targeting Python 3.5, not
a patch level release of Python or existing software.

Also note that all of the browsers mentioned in that ticket discussion
only disable the feature, but keep an option to reenable it. As it
stands, there's no simple option to do this for the ssl default
context short of monkeypatching ssl.OP_NO_SSLv3 = 0.

It would be better to add e.g. a global to the ssl module, so that
you can override the default context options easily and without
having to monkeypatch anything:

ssl.py:
DEFAULT_CONTEXT_OPTIONS = OP_NO_SSLv2 | OP_NO_SSLv3 | ...

myapp.py:
import ssl
# Reenable SSLv3 for myapp:
ssl.DEFAULT_CONTEXT_OPTIONS = ssl.DEFAULT_CONTEXT_OPTIONS & ~ssl.OP_NO_SSLv3