ssl: Drop support for unsafe SSLv3 protocol, remove ssl.PROTOCOL_SSLv3

[vstinner]

Python 3.10 removed ssl.PROTOCOL_SSLv2. SSLv2 was deprecated in 2011 by RFC 6176. OpenSSL 1.1.0 (2016) removed SSLv2 support: "SSLv2 support has been removed. It still supports receiving a SSLv2 compatible client hello." Python 3.10 also requires OpenSSL 1.1.1 and newer: PEP 644.

SSLv3 was specified in 2011 by RFC 6101 and deprecated in 2015 by RFC 7568.

In Fedora 36, OpenSSL no longer supports SSLv3: ssl.PROTOCOL_SSLv3 doesn't exist because OpenSSL defines OPENSSL_NO_SSL3 macro.

There is https://disablessl3.com/ website which advices disabling SSLv3 because of the POODLE vulnerability (discovered in September 2014): see also https://www.openssl.org/~bodo/ssl-poodle.pdf

Firefox blocks SSLv3 since 2014: https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/

OpenSSL wiki: https://wiki.openssl.org/index.php/SSL_and_TLS_Protocols

Is it ok to drop support for SSLv3 right now, is there still Linux distributions providing OpenSSL with SSLv3 support? Is there still servers which only accept SSLv3 but don't support TLSv1.0 or newer? TLS v1.0 and v1.1 are also deprecated... The world is moving towards TLS v1.2 or newer.

[vstinner]

Example on Fedora 36 (openssl-3.0.3-1.fc36.x86_64), SSLv2 and SSLv3 are not listed:

$ openssl ciphers --help
(...)
Cipher specification options:
 -s                  Only supported ciphers
 -tls1               Ciphers compatible with TLS1
 -tls1_1             Ciphers compatible with TLS1.1
 -tls1_2             Ciphers compatible with TLS1.2
 -tls1_3             Ciphers compatible with TLS1.3
 -psk                Include ciphersuites requiring PSK
 -srp                (deprecated) Include ciphersuites requiring SRP
 -ciphersuites val   Configure the TLSv1.3 ciphersuites to use
(...)

[vstinner]

In my PR #94173, @tiran wrote: SSLv2 and SSLv3 are no longer supported.

In PR #94312 I removed the last bits of SSLv2 in Python 3.12.

[vstinner]

Current Python ssl module documentation says:

SSL3.0 is widely considered to be completely broken.

By the way, ssl.SSLContext sets OP_NO_SSLv3 option by default, unless SSLContext(PROTOCOL_SSLv3) is used. The documentation suggests:

ctx = ssl.create_default_context(Purpose.CLIENT_AUTH)
ctx.options &= ~ssl.OP_NO_SSLv3

ssl.PROTOCOL_SSLv3 documentation has a red warning:

SSL version 3 is insecure. Its use is highly discouraged.

[vstinner]

cc @tiran

[encukou]

Is a DeprecationWarning being raised for SSLv3?

[tiran]

Starting Python 3.10 the ssl raises a deprecation warning for all protocols except PROTOCOL_TLS_CLIENT and PROTOCOL_TLS_SERVER as well as all OP_NO_SSL* and OP_NO_TLS* flags. I'm going to remove all flags, protocols, and tests in 3.13.

It is too early to remove SSLv3 from Python. OpenSSL 1.1.1 can be built with SSLv3 support. Only SSLv2 support was removed in 1.1.0.

[vstinner]

It is too early to remove SSLv3 from Python. OpenSSL 1.1.1 can be built with SSLv3 support. Only SSLv2 support was removed in 1.1.0.

Ok ok, I tried to generalize the Fedora case too broadly :-) I was just confused when you wrote that: "SSLv2 and SSLv3 are no longer supported."

I close the issue.