homepage

On 13.11.2014 22:03, Benjamin Peterson wrote:
> 
> Benjamin Peterson added the comment:
> 
> Per http://legacy.python.org/dev/peps/pep-0476/#opting-out the only way to do these things is horrednously ugly because it's hardly (if ever) a good idea.
The point here is not about verification, it's about being able
to allow SSLv3 connections again, which the 2.7.9 version of the
ssl module disallows completely.
There are plenty devices and applications out there which don't
talk TLS and we're cutting these off without a good way to
re-enable Python 2.7 applications talk to these again.
The problem here is that Python 2's ssl module has never had a
way to access the SSL context directly, so the only way to work
around security risks of e.g. using SSLv2 for connections was
to either use SSLv3 (only) or TLSv1 (only).
This is due to the fact that OpenSSL doesn't allow you to specify
SSLv3 and later. You have to pin down the version or set up
a range that starts at SSLv2 and then disable protocols using
context options (which Python 2 has so far never exposed).
More conservative Python applications will have chosen SSLv3 as
a way to disable the broken SSLv2 support. I know that we did
in one of our applications.
Fortunately, the _ssl module itself doesn't have OP_NO_SSLv3
enabled per default, so custom protocol implementations are
probably not affected. Only the stdlib uses of SSL are.