Issue 3596: Provide a way to disable SSLv2 (or better yet, disable by default) (original) (raw)

Created on 2008-08-19 03:06 by heikki, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Messages (4)
msg71404 - (view)	Author: Heikki Toivonen (heikki)	Date: 2008-08-19 03:06
There should be a way to disable SSLv2 since it is insecure. It would be even better if SSLv2 was disabled out of the box, but maybe there could be a way to re-enable it. I made the default to disable SSLv2 in M2Crypto, but those that want it can explicitly request unsecure connection. You can take a look at http://svn.osafoundation.org/m2crypto/trunk/M2Crypto/SSL/Context.py to see how I did it. Modern web browsers are also removing SSLv2 support from them, so it should be really rare to actually need v2 anywhere.
msg72447 - (view)	Author: Bill Janssen (janssen) *	Date: 2008-09-04 01:15
We might consider this for 3.x. We didn't want to do this for 2.6, to maintain compatibility with the older socket.ssl module in Python.
msg103749 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2010-04-20 20:40
The new "ciphers" argument in trunk and py3k should do the trick, shouldn't it? Do note that starting with OpenSSL 1.0.0, SSLv2 is disabled by default when using the "SSLv23" client method (you can re-enable it by specifying "ALL" for the cipher list).
msg104364 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2010-04-27 21:16
Someone else requested it and even provided a patch. See you on .