restrict the ssl protocol version #832
Labels
auto-locked
Outdated issues that have been locked by automation
type: security
Has potential security implications
Milestone
Comments
|
Is there any update about this? |
|
So recent versions of Python don't support SSLv2.0 by default anymore so we're clear there. The only other benefit here would be being able to kill SSLv3.0, TLSv1.0, or TLSv1.1. Looking at https://www.trustworthyinternet.org/ssl-pulse/ we can see that less than 40% of the world supports TLSv1.1 or TLSv1.2 however everyone supports SSLv3.0 and TLSv1.0. There is a very marginal security benefit to disabling SSLv3.0, however it's not really possible to disable SSLv3.0 without pinning to an exact version of TLS on 2.x without pyOpenSSL. Because of the marginal security benefits of disabling SSLv3.0, the low support of TLSv1.1+, and Python itself disabling SSLv2 I'm going to just close this issue. |
lock
bot
added
the
auto-locked
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
@dstufft: "SSL v2 is known to be insecure, pretty sure PyPI itself disables it but for non PyPI indexes it might be useful for pip to do the same."
The text was updated successfully, but these errors were encountered: