From 9d01717f373d0180e2804c827efbc40d8cf72063 Mon Sep 17 00:00:00 2001 From: Victor Stinner Date: Tue, 6 Jan 2015 12:21:26 +0100 Subject: [PATCH] Issue #20896, #22935: The ssl.get_server_certificate() function now uses the ssl.PROTOCOL_SSLv23 protocol by default, not ssl.PROTOCOL_SSLv3, for maximum compatibility and support platforms where ssl.PROTOCOL_SSLv3 support is disabled. --- Lib/ssl.py | 2 +- Misc/NEWS | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/Lib/ssl.py b/Lib/ssl.py index 392603c56de..3b667ff01ae 100644 --- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -922,7 +922,7 @@ def PEM_cert_to_DER_cert(pem_cert_string): d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)] return base64.decodebytes(d.encode('ASCII', 'strict')) -def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None): +def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None): """Retrieve the certificate from the server at the specified address, and return it as a PEM-encoded string. If 'ca_certs' is specified, validate the server cert against it. diff --git a/Misc/NEWS b/Misc/NEWS index 72d0d5fb0e9..79cb8ee75bc 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -44,6 +44,11 @@ Core and Builtins Library ------- +- Issue #20896, #22935: The :func:`ssl.get_server_certificate` function now + uses the :data:`~ssl.PROTOCOL_SSLv23` protocol by default, not + :data:`~ssl.PROTOCOL_SSLv3`, for maximum compatibility and support platforms + where :data:`~ssl.PROTOCOL_SSLv3` support is disabled. + - Issue #23111: In the ftplib, make ssl.PROTOCOL_SSLv23 the default protocol version.