Antoine Pitrou added the comment: > We can add OP_NO_SSLv3 to the default context to prevent SSL3 but it's > sort of a situational thing. If you're doing something where you need > SSL3 clients you don't want OP_NO_SSLv3. > > So I guess the question is, do we want to be more secure by default > and *not* lower the lower bounds of security and require people to add > context.options & ~ssl.OP_NO_SSLv3 if they want to support SSLv3 > connections?
Most people won't understand the symptoms if some clients can't connect, so I'd say no. Also, clients should always use the higher possible protocol version, so I don't think security is at stake here. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue21013> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
