This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients Jim.Jewett, Lukasa, alex, christian.heimes, dstufft, georg.brandl, giampaolo.rodola, hynek, janssen, larry, python-dev, steve.dower
Date 2016-09-22.18:40:38
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1474569638.73.0.898100512171.issue27850@psf.upfronthosting.co.za>
In-reply-to
Content
Larry, the issue has nothing to do with the TLS/SSL library or implementation. It's about cipher suite selection. All (!) SSL libraries are affected because they had 3DES enabled as legacy fallback.

Fun fact: OpenSSL latest security fix has addressed the issue and disabled 3DES by default. But Python overrides the fix and enables 3DES again. LibreSSL hasn't announced a fix yet.

By the way I don't take LibreSSL serious. The developers are all cookie about best practice and security but they don't even offer HTTPS on their website or for downloads. Yes, the official download location for LibreSSL does not support secure file transfer.
History
Date User Action Args
2016-09-22 18:40:38christian.heimessetrecipients: + christian.heimes, georg.brandl, janssen, larry, giampaolo.rodola, alex, python-dev, hynek, Jim.Jewett, steve.dower, dstufft, Lukasa
2016-09-22 18:40:38christian.heimessetmessageid: <1474569638.73.0.898100512171.issue27850@psf.upfronthosting.co.za>
2016-09-22 18:40:38christian.heimeslinkissue27850 messages
2016-09-22 18:40:38christian.heimescreate