This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author lemburg
Recipients alex, benjamin.peterson, christian.heimes, doko, dstufft, giampaolo.rodola, janssen, kroeckx, lemburg, ned.deily, pitrou, python-dev, vstinner
Date 2014-12-12.14:48:02
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
In-reply-to <>
> STINNER Victor added the comment:
>> Any of the other options such as PROTOCOL_TLSv1 will fix the protocol version to that one protocol version, whereas PROTOCOL_SSLv23 means to use any protocol starting with SSLv2. In the context options you can then disable SSLv2 and SSLv3 to e.g. have the connection use TLS 1.0 or later.
> get_server_certificate() uses _create_unverified_context() (In Python
> 2.7, 3.4 & 3.5) which explicitly disable SSLv2 and SSLv3. I still have
> trouble to understand which protocol will be negociated. We use SSLv3
> and disable SSLv3, so the server can only use SSLv23. Am I right?

I'm not sure what OpenSSL will do if you tell it to use protocol
SSLv3 and then disable this via the options again. This sounds like
it won't connect at all, since PROTOCOL_SSLv3 means: only support
SSLv3 :-)

The logic used for protocol selection in OpenSSL is, well, weird.
You have the choice between fixing one single protocol version or
selecting a range and then disabling certain protocol versions
when configuring the context options.

FWIW: The ssl_version parameter in _create_unverified_context()
already uses the correct default; IMO, exposing the parameter
in get_server_certificate() is fairly useless, unless you want
to (ab)use the function to test supported protocol versions :-)
Date User Action Args
2014-12-12 14:48:03lemburgsetrecipients: + lemburg, doko, janssen, pitrou, vstinner, giampaolo.rodola, christian.heimes, benjamin.peterson, ned.deily, alex, python-dev, dstufft, kroeckx
2014-12-12 14:48:03lemburglinkissue22935 messages
2014-12-12 14:48:02lemburgcreate