New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable SSLv3 by default #17164
Comments
This comment has been minimized.
This comment has been minimized.
comment:3
Is there any temporary fix for this? |
comment:4
I don't know, I just saw this, fairly randomly. Exactly what would we want to do to fix this - upgrade Python? I don't know that we can dump the openssl package, there is nothing to replace it. |
comment:5
Replying to @kcrisman:
Isn't there any configuration file that could be modified by Sage team until package itself is corrected? |
comment:6
Quite possibly! Actually, probably could just patch Python right now. But the point is that I don't know how :-) Since this seems pretty important, do you want to email sage-devel to make people aware of it? Probably most people don't know about this ticket, and ones who would know what to do would respond. |
comment:7
https://docs.python.org/2.7/library/ssl.html#ssl.OP_NO_SSLv3 says disabling SSLv3 is "New in version 2.7.9" Sage 6.4.1 includes python 2.7.8 |
comment:8
2.7.9 is supposedly going to be released any day now, see https://www.python.org/dev/peps/pep-0373/ - though I'm not sure we want to be quite that early of an adopter. |
comment:9
Note that Python 2.9 is apparently now out, as of yesterday. |
comment:11
should we update to 2.7.9? Among other things it has a bunch of other SSL/TLS fixes, e.g. SNI support. |
comment:12
Is this done with #18912? |
comment:13
as we are on python 2.7.9, this should not be an issue anyway. |
comment:14
worksforme |
There is a bug in SSLv3, see for example https://securityblog.redhat.com/2014/10/15/poodle-a-ssl3-vulnerability-cve-2014-3566/
Upstream bug: http://bugs.python.org/issue22638
CC: @jdemeyer @jpflori
Component: notebook
Issue created by migration from https://trac.sagemath.org/ticket/17164
The text was updated successfully, but these errors were encountered: