[issue22638] ssl module: the SSLv3 protocol is vulnerable ("POODLE" attack)
STINNER Victor
report at bugs.python.org
Wed Oct 15 14:03:12 CEST 2014
STINNER Victor added the comment:
I read the table explaining how SSL/TLS is negociated between the client and the server:
https://docs.python.org/2.7/library/ssl.html#ssl.wrap_socket
I don't understand how I can ask to "use TLS, prefer the most recent version, but don't use SSL"? Should I use TLSv1 which only works with TLS version 1.0? Or TLSv12 and bet that the server implements this newer TLS version?
create_default_context() uses PROTOCOL_SSLv23 with OP_NO_SSLv2 and OP_NO_SSLv3. I don't understand: we ask to use "SSL version 2 or 3" but we disable SSLv2 and SSLv3?
If the client uses PROTOCOL_SSLv23, does it mean that TLS will never be tried?
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue22638>
_______________________________________
More information about the Python-bugs-list
mailing list