Donald Stufft added the comment: I'll do that :)
To be clear about this patch, it raises the upper bounds of security by enabling TLS 1.1, and 1.2 as well as the single use for (EC)DH and preferring the server ciphers. However it also lowers the lower bounds of security and includes SSLv3 which has some issues (see https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_3.0). However there exists clients who only support SSL3 (The primary one I'm aware of is IE6 on Windows XP). We can add OP_NO_SSLv3 to the default context to prevent SSL3 but it's sort of a situational thing. If you're doing something where you need SSL3 clients you don't want OP_NO_SSLv3. So I guess the question is, do we want to be more secure by default and *not* lower the lower bounds of security and require people to add context.options & ~ssl.OP_NO_SSLv3 if they want to support SSLv3 connections? ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue21013> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
