saghul
commented
8 years ago Hi! Thanks for the patch! What versions of Python 2.6 should this apply to? I see you are now applying it to > 2.6.9, do the other ssl patches already disable SSLv3 support?
Closed flub closed 7 years ago
saghul
commented
8 years ago Hi! Thanks for the patch! What versions of Python 2.6 should this apply to? I see you are now applying it to > 2.6.9, do the other ssl patches already disable SSLv3 support?
flub
commented
8 years ago So I did debate which version this should all be applied too. In principle all py26 builds are broken and need some version of this patch but I only care about the last one really and did not look forward to crafting a patch that would apply to all and test with all versions. So I've chosen to only apply it to the one version I actually tested. Not sure how you normally go about testing this?
saghul
commented
8 years ago I don't mind landing the patch as is TBH, since I have no use for Python 2.6 these days :-) One way to test it would be to only apply this patch to all 2.6 versions and try to build a few of them.
saghul
commented
7 years ago Oops, sorry, forgot about this. Landed!
More recent versions of libssl and distributions shipping them no longer include the SSLv3 symbols. This updates the existing patch to disable SSLv2 from the _ssl module to also exclude SSLv3. This still seems to work correctly and pip can download packages again.