On Thu, Jan 9, 2014 at 8:20 AM, Alex Gaynor <alex.gay...@gmail.com> wrote: > Hey all, > > There are a number of serious security improvements that have gone into the > stdlib SSL module in Python 3. For reasons that defy understanding, the > CPython maintainers have decided not to backport them to Python 2. > > I'd like to backport a few of them, starting with: blocking SSLv2 by > default. How do people feel about this? > > There are basically no servers on the internet that use SSLv2, as it's > completely broken, so all this does is prevent an attack. The downside is > that there'd be no way for a user to turn this off if we do it. > > This would be a serious security hardening IMO. > > (Note that this mostly only affects OS X, almost every other platform has > had SSLv2 turned off in OpenSSL itself). > > Any objections? > Alex
I think this particular change is fine, especially that on modern linux systems, sslv2 is not supported anyway _______________________________________________ pypy-dev mailing list pypy-dev@python.org https://mail.python.org/mailman/listinfo/pypy-dev
