From: Antoine Pitrou <solipsis@pitrou.net>
Date: Fri, 17 Oct 2014 17:28:30 +0000 (+0200)
Subject: Issue #22638: SSLv3 is now disabled throughout the standard library.
X-Git-Tag: v3.5.0a1~643
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e4eda4d33f40e6e868d895915facc8c24265b584;p=python

Issue #22638: SSLv3 is now disabled throughout the standard library.
It can still be enabled by instantiating a SSLContext manually.
---

diff --git a/Lib/ssl.py b/Lib/ssl.py
index 8854e37748..d74b340a7f 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -454,6 +454,9 @@ def _create_stdlib_context(protocol=PROTOCOL_SSLv23, *, cert_reqs=None,
     context = SSLContext(protocol)
     # SSLv2 considered harmful.
     context.options |= OP_NO_SSLv2
+    # SSLv3 has problematic security and is only required for really old
+    # clients such as IE6 on Windows XP
+    context.options |= OP_NO_SSLv3
 
     if cert_reqs is not None:
         context.verify_mode = cert_reqs
diff --git a/Misc/NEWS b/Misc/NEWS
index fd502b6e4a..d5704308b1 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -178,6 +178,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #22638: SSLv3 is now disabled throughout the standard library.
+  It can still be enabled by instantiating a SSLContext manually.
+
 - Issue #22641: In asyncio, the default SSL context for client connections
   is now created using ssl.create_default_context(), for stronger security.