Disable SSLv3 by default #17164
Comments
This comment has been minimized.
This comment has been minimized.
|
comment:3
Is there any temporary fix for this? |
|
comment:4
I don't know, I just saw this, fairly randomly. Exactly what would we want to do to fix this - upgrade Python? I don't know that we can dump the openssl package, there is nothing to replace it. |
|
comment:5
Replying to @kcrisman:
Isn't there any configuration file that could be modified by Sage team until package itself is corrected? |
|
comment:6
Quite possibly! Actually, probably could just patch Python right now. But the point is that I don't know how :-) Since this seems pretty important, do you want to email sage-devel to make people aware of it? Probably most people don't know about this ticket, and ones who would know what to do would respond. |
|
comment:7
https://docs.python.org/2.7/library/ssl.html#ssl.OP_NO_SSLv3 says disabling SSLv3 is "New in version 2.7.9" Sage 6.4.1 includes python 2.7.8 |
|
comment:8
2.7.9 is supposedly going to be released any day now, see https://www.python.org/dev/peps/pep-0373/ - though I'm not sure we want to be quite that early of an adopter. |
|
comment:9
Note that Python 2.9 is apparently now out, as of yesterday. |
|
comment:11
should we update to 2.7.9? Among other things it has a bunch of other SSL/TLS fixes, e.g. SNI support. |
|
comment:12
Is this done with #18912? |
|
comment:13
as we are on python 2.7.9, this should not be an issue anyway. |
|
comment:14
worksforme |
There is a bug in SSLv3, see for example https://securityblog.redhat.com/2014/10/15/poodle-a-ssl3-vulnerability-cve-2014-3566/
Upstream bug: http://bugs.python.org/issue22638
CC: @jdemeyer @jpflori
Component: notebook
Issue created by migration from https://trac.sagemath.org/ticket/17164
The text was updated successfully, but these errors were encountered: