mogli added the comment:
That was fast, great job!
For the record: The SSLv3 issue I also wrote about was a false positive because
the test only works with Javascript. Python 2.7.9 has SSLv3 disabled by default
as it should.
urllib2.urlopen(https://sslv3.dshield.org;) # fails as it should
New submission from mogli:
The documentation (https://docs.python.org/2/library/ssl.html) says:
The settings in Python 2.7.9 are: PROTOCOL_SSLv23, OP_NO_SSLv2, and OP_NO_SSLv3
with high encryption cipher suites without RC4
But it still seems to use RC4: https://www.howsmyssl.com/a/check
Also
STINNER Victor added the comment:
You can explicitly disable RC4 if you create a SSLContext and then call
set_ciphers() with the right list of ciphers. See for examples cipher lists of
Python 2.7 (development branch):
https://hg.python.org/cpython/file/0b44c749ae51/Lib/ssl.py#l150
Add :!RC4
Benjamin Peterson added the comment:
RC4 is dropped in the next releases.
--
dependencies: +SSL module should not offer RC4 based cipher suites for clients
by default
nosy: +benjamin.peterson
resolution: - duplicate
status: open - closed
___
Python
Changes by R. David Murray rdmur...@bitdance.com:
--
nosy: +alex, dstufft
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23679
___
___
Alex Gaynor added the comment:
I believe RC4 will still be used under 2.7.9 on clients, this is changed for
2.7.10
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23679
___
mogli added the comment:
So it seems the docs are wrong.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23679
___
___
Python-bugs-list mailing
Benjamin Peterson added the comment:
They're correct for the next release. :(
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23679
___
___
Roundup Robot added the comment:
New changeset e1dfa5f0709f by Benjamin Peterson in branch '2.7':
versionchanged for rc4 removal (closes #23679)
https://hg.python.org/cpython/rev/e1dfa5f0709f
New changeset 2a6a63828a40 by Benjamin Peterson in branch '3.4':
versionchanged for rc4 removal (closes
R. David Murray added the comment:
But the doc explicitly says 2.7.9, so no, they are not correct. There also
should be versionchanged directive, I think.
--
assignee: - docs@python
components: +Documentation
dependencies: -SSL module should not offer RC4 based cipher suites for
Changes by R. David Murray rdmur...@bitdance.com:
--
resolution: duplicate -
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23679
___
___
11 matches
Mail list logo