[issue22935] Disabling SSLv3 support

2015-01-06 Thread Berker Peksag
Changes by Berker Peksag : -- stage: needs patch -> resolved ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: ht

[issue22935] Disabling SSLv3 support

2015-01-06 Thread STINNER Victor
STINNER Victor added the comment: > I'm now waiting for the following buildbot before closing the issue: > http://buildbot.python.org/all/builders/x86%20Tiger%203.4 Before my change, test_ssl because with "NameError: name 'PROTOCOL_SSLv3' is not defined". With my change, test_ssl now pass. I cl

[issue22935] Disabling SSLv3 support

2015-01-06 Thread STINNER Victor
STINNER Victor added the comment: Ok, I commited my change to Python 3.4. I'm now waiting for the following buildbot before closing the issue: http://buildbot.python.org/all/builders/x86%20Tiger%203.4 -- ___ Python tracker

[issue22935] Disabling SSLv3 support

2015-01-06 Thread Roundup Robot
Roundup Robot added the comment: New changeset a8c4925e2359 by Victor Stinner in branch '3.4': Issue #20896, #22935: The ssl.get_server_certificate() function now uses the https://hg.python.org/cpython/rev/a8c4925e2359 -- ___ Python tracker

[issue22935] Disabling SSLv3 support

2015-01-05 Thread STINNER Victor
STINNER Victor added the comment: I'm going to commit get_server_certificate_sslv23.patch into Python 3.4, so Python 3.4 will just behave like Python 2.7 and 3.5, except if someone complains :-) -- ___ Python tracker

[issue22935] Disabling SSLv3 support

2015-01-05 Thread Ned Deily
Ned Deily added the comment: Setting to release blocker since this needs to be resolved for 3.4.3. FYI, the OS X x86 Tiger 3.4 buildbot has been updated to use a local copy of OpenSSL 1.0.1j with SSLv3 disabled and multiple tests now fail (2.7 and default do not fail, as expected). http://bu

[issue22935] Disabling SSLv3 support

2014-12-12 Thread Kurt Roeckx
Kurt Roeckx added the comment: Most such sites actually seem to have dropped support for SSLv3. One site where it depends on the cipher string is bugs.cdburnerxp.se -- ___ Python tracker __

[issue22935] Disabling SSLv3 support

2014-12-12 Thread Marc-Andre Lemburg
Marc-Andre Lemburg added the comment: > STINNER Victor added the comment: > >> Any of the other options such as PROTOCOL_TLSv1 will fix the protocol >> version to that one protocol version, whereas PROTOCOL_SSLv23 means to use >> any protocol starting with SSLv2. In the context options you can

[issue22935] Disabling SSLv3 support

2014-12-12 Thread STINNER Victor
STINNER Victor added the comment: Do you have an example of server returning a different certificate depending on the protocol? -- ___ Python tracker ___ ___

[issue22935] Disabling SSLv3 support

2014-12-12 Thread Kurt Roeckx
Kurt Roeckx added the comment: SSLv3 does not support the TLS extensions so it's going to send a totally different Client Hello. It will for instance not indicate with elliptic curves it supports. So yes the behavior for SSLv3 and SSLv23 can be totally different. But even with both SSLv23 a

[issue22935] Disabling SSLv3 support

2014-12-12 Thread STINNER Victor
STINNER Victor added the comment: > Any of the other options such as PROTOCOL_TLSv1 will fix the protocol version > to that one protocol version, whereas PROTOCOL_SSLv23 means to use any > protocol starting with SSLv2. In the context options you can then disable > SSLv2 and SSLv3 to e.g. have

[issue22935] Disabling SSLv3 support

2014-12-12 Thread STINNER Victor
STINNER Victor added the comment: > So this seems to be a function that just gets the certificate? You need to > be careful with this since a server could perfectly decide to send a > different certificate depending on the client hello it receives. (...) In any > case, you should always use S

[issue22935] Disabling SSLv3 support

2014-12-12 Thread Kurt Roeckx
Kurt Roeckx added the comment: So this seems to be a function that just gets the certificate? You need to be careful with this since a server could perfectly decide to send a different certificate depending on the client hello it receives. Like if you support ECDSA it might decide to send yo

[issue22935] Disabling SSLv3 support

2014-12-12 Thread Marc-Andre Lemburg
Marc-Andre Lemburg added the comment: Please always use PROTOCOL_SSLv23 since this is the only forward compatible way of telling OpenSSL to use the best protocol available. Any of the other options such as PROTOCOL_TLSv1 will fix the protocol version to that one protocol version, whereas PROTO

[issue22935] Disabling SSLv3 support

2014-12-12 Thread STINNER Victor
STINNER Victor added the comment: get_server_certificate_sslv23.patch: Patch to use PROTOCOL_SSLv23 by default in get_server_certificate(), as done in Python 2.7 and 3.5. -- Added file: http://bugs.python.org/file37424/get_server_certificate_sslv23.patch ___

[issue22935] Disabling SSLv3 support

2014-12-12 Thread STINNER Victor
STINNER Victor added the comment: Oh, in Python 3.4, create_default_context() uses PROTOCOL_SSLv23, SSLSocket, wrap_socket() and _create_unverified_context() use PROTOCOL_SSLv23 by default. In Python 3.5, get_server_certificate() now uses PROTOCOL_SSLv23 by default because test_ssl failed on t

[issue22935] Disabling SSLv3 support

2014-12-12 Thread STINNER Victor
STINNER Victor added the comment: > The changes for 3.4 are incomplete Ok, I fixed most obvious issues. There is a major severe issue in Lib/ssl.py: def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None): ... This line fails if PROTOCOL_SSLv3 name does not exi

[issue22935] Disabling SSLv3 support

2014-12-12 Thread Roundup Robot
Roundup Robot added the comment: New changeset f0297263a1e8 by Victor Stinner in branch '3.4': Issue #22935: Fix test_ssl when the SSLv3 protocol is not supported https://hg.python.org/cpython/rev/f0297263a1e8 -- ___ Python tracker

[issue22935] Disabling SSLv3 support

2014-12-12 Thread Roundup Robot
Roundup Robot added the comment: New changeset 773e55c95703 by Victor Stinner in branch '3.4': Issue #22935: Fix ssl module when SSLv3 protocol is not supported https://hg.python.org/cpython/rev/773e55c95703 New changeset fb1ffd40d33e by Victor Stinner in branch 'default': Issue #22935: Fix test

[issue22935] Disabling SSLv3 support

2014-12-12 Thread Ned Deily
Ned Deily added the comment: The changes for 3.4 are incomplete: >>> import ssl Traceback (most recent call last): File "", line 1, in File "/py/dev/34/source/Lib/ssl.py", line 122, in from _ssl import PROTOCOL_SSLv3, PROTOCOL_SSLv23, PROTOCOL_TLSv1 ImportError: cannot import name 'P

[issue22935] Disabling SSLv3 support

2014-12-08 Thread Kurt Roeckx
Kurt Roeckx added the comment: I did update the documentation to mention that, but it seems none of my documentation changes got applied. -- ___ Python tracker ___ _

[issue22935] Disabling SSLv3 support

2014-12-06 Thread STINNER Victor
STINNER Victor added the comment: The documentation should be modified to explain that SSLv2 and SSLv3 are not always available. -- ___ Python tracker ___ ___

[issue22935] Disabling SSLv3 support

2014-12-05 Thread Roundup Robot
Roundup Robot added the comment: New changeset 49d267a58cc2 by Benjamin Peterson in branch '2.7': allow ssl module to compile if openssl doesn't support SSL 3 (closes #22935) https://hg.python.org/cpython/rev/49d267a58cc2 New changeset 4077e0cd8d48 by Benjamin Peterson in branch '3.4': allow ssl

[issue22935] Disabling SSLv3 support

2014-12-01 Thread Kurt Roeckx
Kurt Roeckx added the comment: I've just signed the contributor agreement -- ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue22935] Disabling SSLv3 support

2014-11-30 Thread Ned Deily
Ned Deily added the comment: Clearly we need to support openssl's without SSLv3 so I think some version of this needs to be applied to all branches (preferably in time for 2.7.9, Benjamin?). Kurt, if you haven't already, could you sign the contributor agreement so we can use the patch (https

[issue22935] Disabling SSLv3 support

2014-11-28 Thread Matthias Klose
Matthias Klose added the comment: maybe it's time to generalise this one, still found on all branches: # Issue #9415: Ubuntu hijacks their OpenSSL and forcefully disables SSLv2 def skip_if_broken_ubuntu_ssl(func): -- nosy: +doko ___ Python tracker <

[issue22935] Disabling SSLv3 support

2014-11-28 Thread STINNER Victor
STINNER Victor added the comment: FYI LibreSSL also disabled SSLv2 and SSLv3. -- nosy: +haypo ___ Python tracker ___ ___ Python-bugs-l

[issue22935] Disabling SSLv3 support

2014-11-24 Thread Antoine Pitrou
Changes by Antoine Pitrou : -- stage: -> patch review type: -> compile error versions: +Python 2.7, Python 3.4, Python 3.5 ___ Python tracker ___ __

[issue22935] Disabling SSLv3 support

2014-11-24 Thread Alex Gaynor
Alex Gaynor added the comment: Good to know, thanks. -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https:/

[issue22935] Disabling SSLv3 support

2014-11-24 Thread Kurt Roeckx
Kurt Roeckx added the comment: I know what I uploaded to Debian experimental. And I can't promise that I'll keep that define. I suggest you assume that NO_SSL3 will disable both. -- ___ Python tracker __

[issue22935] Disabling SSLv3 support

2014-11-24 Thread Alex Gaynor
Alex Gaynor added the comment: FWIW, Debian expiremental appears to be using a different #define for this. Here's how we handled it in pyca/cryptography: https://github.com/pyca/cryptography/commit/04a3f1f2c4086c0d7162b6dd79b6332d9115b2c0 -- nosy: +alex, christian.heimes, dstufft, giam

[issue22935] Disabling SSLv3 support

2014-11-24 Thread Kurt Roeckx
New submission from Kurt Roeckx: Hi, The attached patch makes python work when openssl doesn't have SSLv3 support. It also updates the documentation, which has already improved a lot since my original patch. The current upstream openssl when compiled with no-ssl2 it defines OPENSSL_NO_SSL2,