New submission from Alex Gaynor:
SSLv2 has numerous security issues, and thus is in limited use on the web.
Continuing to allow SSLv2 handshakes only serves to limit security.
--
components: Library (Lib)
messages: 207748
nosy: alex
priority: normal
severity: normal
status: open
title:
Donald Stufft added the comment:
+1
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20207
___
___
Python-bugs-list mailing list
Changes by Christian Heimes li...@cheimes.de:
--
nosy: +christian.heimes
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20207
___
___
Antoine Pitrou added the comment:
Here is a patch. Can someone try it with a non-patched OpenSSL? (e.g. OS X)
--
keywords: +patch
Added file: http://bugs.python.org/file33377/no_sslv2.patch
___
Python tracker rep...@bugs.python.org
Antoine Pitrou added the comment:
Note that this probably would have to be applied to 3.x too, for consistency.
--
versions: +Python 3.3, Python 3.4
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20207
Alex Gaynor added the comment:
Yes, OP_NO_SSLv2 should be used by default.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20207
___
___
Antoine Pitrou added the comment:
(by trying, I mean at least ./python -m test.regrtest -unetwork -v test_ssl)
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20207
___
Alex Gaynor added the comment:
I can confirm the tests pass on OS X and it's possible to open a connection to
howsmyssl.com
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20207
___
Alex Gaynor added the comment:
I'm not sure this is needed on Python 3, it already has:
http://hg.python.org/cpython/file/default/Lib/ssl.py#l388
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20207
Antoine Pitrou added the comment:
I'm not sure this is needed on Python 3, it already has:
http://hg.python.org/cpython/file/default/Lib/ssl.py#l388
It doesn't get executed when you create a SSLContext directly, though.
--
___
Python tracker
Hynek Schlawack added the comment:
I’m +1 too since supporting it serves no other purpose then enabling downgrade
attacks. Shipping a client with SSL 2 on is nothing short a security bug.
--
nosy: +hynek
___
Python tracker rep...@bugs.python.org
Antoine Pitrou added the comment:
Please qualify the request a bit: do you mean something should be done in the
ssl module? One solution is to add OP_NO_SSLv2 when the user asks for a
PROTOCOL_SSLv23 socket. Is it what you mean?
--
nosy: +pitrou
type: - behavior
Changes by STINNER Victor victor.stin...@gmail.com:
--
nosy: +haypo
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20207
___
___
Python-bugs-list
STINNER Victor added the comment:
Here is a patch. Can someone try it with a non-patched OpenSSL? (e.g. OS X)
How can I test that SSLv2 is disabled?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20207
Roundup Robot added the comment:
New changeset 163c09041280 by Antoine Pitrou in branch '2.7':
Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly
asked for.
http://hg.python.org/cpython/rev/163c09041280
--
nosy: +python-dev
Roundup Robot added the comment:
New changeset 613b403ca9f1 by Antoine Pitrou in branch '3.3':
Issue #20207: Always disable SSLv2 except when PROTOCOL_SSLv2 is explicitly
asked for.
http://hg.python.org/cpython/rev/613b403ca9f1
New changeset e02288de43ed by Antoine Pitrou in branch 'default':
Antoine Pitrou added the comment:
This should be ok now. Let's hope no buildbots will complain...
--
resolution: - fixed
stage: - committed/rejected
status: open - pending
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20207
Changes by Antoine Pitrou pit...@free.fr:
--
status: pending - closed
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue20207
___
___
Python-bugs-list
18 matches
Mail list logo