Issue #22638: SSLv3 is now disabled throughout the standard library.

It can still be enabled by instantiating a SSLContext manually.

Issue #22638: SSLv3 is now disabled throughout the standard library.
It can still be enabled by instantiating a SSLContext manually.
e4eda4d3 · Antoine Pitrou · c2c62b13 · e4eda4d3 · e4eda4d3
Commit e4eda4d3 authored Oct 17, 2014 by Antoine Pitrou
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

Lib/ssl.py Lib/ssl.py +3 -0

Misc/NEWS Misc/NEWS +3 -0

No files found.
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -454,6 +454,9 @@ def _create_stdlib_context(protocol=PROTOCOL_SSLv23, *, cert_reqs=None,
    context = SSLContext(protocol)
    # SSLv2 considered harmful.
    context.options |= OP_NO_SSLv2
+    # SSLv3 has problematic security and is only required for really old
+    # clients such as IE6 on Windows XP
+    context.options |= OP_NO_SSLv3

    if cert_reqs is not None:
        context.verify_mode = cert_reqs

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -178,6 +178,9 @@ Core and Builtins
 Library
 -------

+- Issue #22638: SSLv3 is now disabled throughout the standard library.
+  It can still be enabled by instantiating a SSLContext manually.
+
 - Issue #22641: In asyncio, the default SSL context for client connections
  is now created using ssl.create_default_context(), for stronger security.