--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/python/python35/patches/20-disable-sslv3.patch	Tue Sep 29 14:11:08 2015 -0700
@@ -0,0 +1,59 @@
+This patch comes from in-house.  It has not yet been submitted upstream,
+but submission is planned.
+
+--- Python-3.5.0rc2/Modules/_ssl.c.~1~	2015-08-25 10:19:14.000000000 -0700
++++ Python-3.5.0rc2/Modules/_ssl.c	2015-09-02 12:37:20.276035208 -0700
+@@ -2281,6 +2281,8 @@
+     options = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+     if (proto_version != PY_SSL_VERSION_SSL2)
+         options |= SSL_OP_NO_SSLv2;
++    if (proto_version != PY_SSL_VERSION_SSL3)
++        options |= SSL_OP_NO_SSLv3;
+     SSL_CTX_set_options(self->ctx, options);
+ 
+ #ifndef OPENSSL_NO_ECDH
+--- Python-3.5.0a4/Lib/test/test_ssl.py.~1~	2015-04-20 00:37:52.000000000 -0700
++++ Python-3.5.0a4/Lib/test/test_ssl.py	2015-04-20 14:13:10.974024879 -0700
+@@ -784,10 +784,7 @@
+     @skip_if_broken_ubuntu_ssl
+     def test_options(self):
+         ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+-        # OP_ALL | OP_NO_SSLv2 is the default value
+-        self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,
+-                         ctx.options)
+-        ctx.options |= ssl.OP_NO_SSLv3
++        # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
+         self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3,
+                          ctx.options)
+         if can_clear_options():
+@@ -2451,17 +2448,17 @@
+                             " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
+                             % str(x))
+             if hasattr(ssl, 'PROTOCOL_SSLv3'):
+-                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3')
++                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False)
+             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)
+             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1')
+ 
+             if hasattr(ssl, 'PROTOCOL_SSLv3'):
+-                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL)
++                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)
+             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL)
+             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
+ 
+             if hasattr(ssl, 'PROTOCOL_SSLv3'):
+-                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED)
++                try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)
+             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED)
+             try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
+ 
+@@ -2493,7 +2490,8 @@
+             try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
+             if no_sslv2_implies_sslv3_hello():
+                 # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
+-                try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, 'SSLv3',
++                # until we disabled SSLv3 for Poodle
++                try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False,
+                                    client_options=ssl.OP_NO_SSLv2)
+ 
+         @skip_if_broken_ubuntu_ssl