René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"ssl: Drop support for unsafe SSLv3 protocol, remove ssl.PROTOCOL_SSLv3","articleBody":"Python 3.10 removed ssl.PROTOCOL_SSLv2. SSLv2 was deprecated in 2011 by [RFC 6176](https://tools.ietf.org/html/rfc6176). OpenSSL 1.1.0 (2016) [removed SSLv2 support](https://www.openssl.org/news/changelog.html): \"SSLv2 support has been removed. It still supports receiving a SSLv2 compatible client hello.\" Python 3.10 also requires OpenSSL 1.1.1 and newer: [PEP 644](https://peps.python.org/pep-0644/).\r\n\r\nSSLv3 was specified in 2011 by [RFC 6101](https://datatracker.ietf.org/doc/html/rfc6101) and deprecated in 2015 by [RFC 7568](https://datatracker.ietf.org/doc/html/rfc7568).\r\n\r\nIn Fedora 36, OpenSSL no longer supports SSLv3: ``ssl.PROTOCOL_SSLv3`` doesn't exist because OpenSSL defines OPENSSL_NO_SSL3 macro.\r\n\r\nThere is https://disablessl3.com/ website which advices disabling SSLv3 because of the POODLE vulnerability (discovered in September 2014): see also https://www.openssl.org/~bodo/ssl-poodle.pdf\r\n\r\nFirefox blocks SSLv3 since 2014: https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/\r\n\r\nOpenSSL wiki: https://wiki.openssl.org/index.php/SSL_and_TLS_Protocols\r\n\r\nIs it ok to drop support for SSLv3 right now, is there still Linux distributions providing OpenSSL with SSLv3 support? Is there still servers which only accept SSLv3 but don't support TLSv1.0 or newer? TLS v1.0 and v1.1 are also deprecated... The world is moving towards TLS v1.2 or newer.","author":{"url":"https://github.com/vstinner","@type":"Person","name":"vstinner"},"datePublished":"2022-06-28T11:53:26.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":7},"url":"https://github.com/94377/cpython/issues/94377"}