[issue22638] ssl module: the SSLv3 protocol is vulnerable ("POODLE" attack)
Antoine Pitrou
report at bugs.python.org
Wed Oct 15 01:13:54 CEST 2014
Antoine Pitrou added the comment:
"""Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks."""
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue22638>
_______________________________________
More information about the Python-bugs-list
mailing list