1 This patch comes from in-house.  It has not yet been submitted upstream,

     2 but submission is planned.

     3 

     4 --- Python-3.4.2/Modules/_ssl.c.~1~	2014-10-08 01:18:15.000000000 -0700

     5 +++ Python-3.4.2/Modules/_ssl.c	2015-01-08 12:47:54.633548859 -0800

     6 @@ -2059,6 +2059,8 @@

     7      options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;

     8      if (proto_version != PY_SSL_VERSION_SSL2)

     9          options |= SSL_OP_NO_SSLv2;

    10 +    if (proto_version != PY_SSL_VERSION_SSL3)

    11 +        options |= SSL_OP_NO_SSLv3;

    12      SSL_CTX_set_options(self->ctx, options);

    13  

    14  #ifndef OPENSSL_NO_ECDH

    15 --- Python-3.4.2/Lib/test/test_ssl.py.~1~	2014-10-08 01:18:14.000000000 -0700

    16 +++ Python-3.4.2/Lib/test/test_ssl.py	2015-01-08 18:09:09.276695442 -0800

    17 @@ -674,10 +674,7 @@

    18      @skip_if_broken_ubuntu_ssl

    19      def test_options(self):

    20          ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)

    21 -        # OP_ALL | OP_NO_SSLv2 is the default value

    22 -        self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,

    23 -                         ctx.options)

    24 -        ctx.options |= ssl.OP_NO_SSLv3

    25 +        # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value

    26          self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3,

    27                           ctx.options)

    28          if can_clear_options():

    29 @@ -2149,15 +2146,15 @@

    30                          sys.stdout.write(

    31                              " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"

    32                              % str(x))

    33 -            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True)

    34 +            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False)

    35              try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)

    36              try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True)

    37  

    38 -            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL)

    39 +            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)

    40              try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL)

    41              try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL)

    42  

    43 -            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED)

    44 +            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)

    45              try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED)

    46              try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED)

    47  

    48 @@ -2186,7 +2183,8 @@

    49              try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)

    50              if no_sslv2_implies_sslv3_hello():

    51                  # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs

    52 -                try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, True,

    53 +                # until we disabled SSLv3 for Poodle

    54 +                try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False,

    55                                     client_options=ssl.OP_NO_SSLv2)

    56  

    57          @skip_if_broken_ubuntu_ssl