Opened 5 years ago

Closed 5 years ago

#17164 closed defect (worksforme)

Disable SSLv3 by default

Reported by: jmantysalo Owned by:
Priority: critical Milestone: sage-duplicate/invalid/wontfix
Component: notebook Keywords:
Cc: jdemeyer, jpflori Merged in:
Authors: Reviewers:
Report Upstream: N/A Work issues:
Branch: Commit:
Dependencies: Stopgaps:

Change History (16)

comment:1 Changed 5 years ago by jmantysalo

  • Type changed from PLEASE CHANGE to defect

comment:2 Changed 5 years ago by vbraun

  • Description modified (diff)

comment:3 Changed 5 years ago by jmantysalo

Is there any temporary fix for this?

comment:4 follow-up: Changed 5 years ago by kcrisman

I don't know, I just saw this, fairly randomly.

Exactly what would we want to do to fix this - upgrade Python? I don't know that we can dump the openssl package, there is nothing to replace it.

comment:5 in reply to: ↑ 4 Changed 5 years ago by jmantysalo

Replying to kcrisman:

Exactly what would we want to do to fix this - upgrade Python? I don't know that we can dump the openssl package, there is nothing to replace it.

Isn't there any configuration file that could be modified by Sage team until package itself is corrected?

comment:6 Changed 5 years ago by kcrisman

Quite possibly! Actually, probably could just patch Python right now. But the point is that I don't know how :-) Since this seems pretty important, do you want to email sage-devel to make people aware of it? Probably most people don't know about this ticket, and ones who would know what to do would respond.

comment:7 Changed 5 years ago by pipedream

https://docs.python.org/2.7/library/ssl.html#ssl.OP_NO_SSLv3

says disabling SSLv3 is "New in version 2.7.9"

Sage 6.4.1 includes python 2.7.8

comment:8 Changed 5 years ago by kcrisman

2.7.9 is supposedly going to be released any day now, see https://www.python.org/dev/peps/pep-0373/ - though I'm not sure we want to be quite that early of an adopter.

comment:9 Changed 5 years ago by kcrisman

  • Cc jdemeyer added

Note that Python 2.9 is apparently now out, as of yesterday.

comment:10 Changed 5 years ago by jpflori

  • Cc jpflori added

comment:11 Changed 5 years ago by dimpase

should we update to 2.7.9? Among other things it has a bunch of other SSL/TLS fixes, e.g. SNI support.

comment:12 Changed 5 years ago by jmantysalo

Is this done with #18912?

comment:13 Changed 5 years ago by dimpase

  • Status changed from new to needs_review

as we are on python 2.7.9, this should not be an issue anyway.

comment:14 Changed 5 years ago by dimpase

  • Status changed from needs_review to positive_review

worksforme

comment:15 Changed 5 years ago by jmantysalo

  • Milestone changed from sage-6.4 to sage-duplicate/invalid/wontfix

comment:16 Changed 5 years ago by vbraun

  • Resolution set to worksforme
  • Status changed from positive_review to closed
Note: See TracTickets for help on using tickets.