Issue #22638: SSLv3 is now disabled throughout the standard library.

It can still be enabled by instantiating a SSLContext manually.

diff --git a/Lib/ssl.py b/Lib/ssl.py
index b6e6f1695d067c556e22715b7182528ec42bc64e..2b81b790d8b54c18159d56ca1808fc6b8954387e 100644 (file)
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -458,6 +458,9 @@ def _create_unverified_context(protocol=PROTOCOL_SSLv23, *, cert_reqs=None,
     context = SSLContext(protocol)
     # SSLv2 considered harmful.
     context.options |= OP_NO_SSLv2
+    # SSLv3 has problematic security and is only required for really old
+    # clients such as IE6 on Windows XP
+    context.options |= OP_NO_SSLv3
 
     if cert_reqs is not None:
         context.verify_mode = cert_reqs

diff --git a/Misc/NEWS b/Misc/NEWS
index 275e8590dee5704378db5bd73627de6a68d26467..2d131bd9cc27eb935b5abc9161dc692ab9863378 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -36,6 +36,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #22638: SSLv3 is now disabled throughout the standard library.
+  It can still be enabled by instantiating a SSLContext manually.
+
 - Issue #22370: Windows detection in pathlib is now more robust.
 
 - Issue #22841: Reject coroutines in asyncio add_signal_handler().