Marc-Andre Lemburg added the comment: On 13.11.2014 22:03, Benjamin Peterson wrote: > > Benjamin Peterson added the comment: > > Per http://legacy.python.org/dev/peps/pep-0476/#opting-out the only way to do > these things is horrednously ugly because it's hardly (if ever) a good idea.
The point here is not about verification, it's about being able to allow SSLv3 connections again, which the 2.7.9 version of the ssl module disallows completely. There are plenty devices and applications out there which don't talk TLS and we're cutting these off without a good way to re-enable Python 2.7 applications talk to these again. The problem here is that Python 2's ssl module has never had a way to access the SSL context directly, so the only way to work around security risks of e.g. using SSLv2 for connections was to either use SSLv3 (only) or TLSv1 (only). This is due to the fact that OpenSSL doesn't allow you to specify SSLv3 and later. You have to pin down the version or set up a range that starts at SSLv2 and then disable protocols using context options (which Python 2 has so far never exposed). More conservative Python applications will have chosen SSLv3 as a way to disable the broken SSLv2 support. I know that we did in one of our applications. Fortunately, the _ssl module itself doesn't have OP_NO_SSLv3 enabled per default, so custom protocol implementations are probably not affected. Only the stdlib uses of SSL are. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue22866> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
