Issue #22638: SSLv3 is now disabled throughout the standard library.

It can still be enabled by instantiating a SSLContext manually.
2025-10-06 15:11:58 +00:00 · 2014-10-17 19:28:30 +02:00 · 2014-10-17 19:28:30 +02:00 · a21de3d45e
commit a21de3d45e
parent f8c3b69986
2 changed files with 6 additions and 0 deletions
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@ -458,6 +458,9 @@ def _create_unverified_context(protocol=PROTOCOL_SSLv23, *, cert_reqs=None,
    context = SSLContext(protocol)
    # SSLv2 considered harmful.
    context.options |= OP_NO_SSLv2
+    # SSLv3 has problematic security and is only required for really old
+    # clients such as IE6 on Windows XP
+    context.options |= OP_NO_SSLv3

    if cert_reqs is not None:
        context.verify_mode = cert_reqs