changeset:   94045:a8c4925e2359
branch:      3.4
parent:      94039:37801e3b82e4
user:        Victor Stinner <victor.stinner@gmail.com>
date:        Tue Jan 06 12:21:26 2015 +0100
files:       Lib/ssl.py Misc/NEWS
description:
Issue #20896, #22935: The ssl.get_server_certificate() function now uses the
ssl.PROTOCOL_SSLv23 protocol by default, not ssl.PROTOCOL_SSLv3, for maximum
compatibility and support platforms where ssl.PROTOCOL_SSLv3 support is
disabled.


diff -r 37801e3b82e4 -r a8c4925e2359 Lib/ssl.py
--- a/Lib/ssl.py	Tue Jan 06 00:40:43 2015 -0600
+++ b/Lib/ssl.py	Tue Jan 06 12:21:26 2015 +0100
@@ -922,7 +922,7 @@
     d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)]
     return base64.decodebytes(d.encode('ASCII', 'strict'))
 
-def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None):
+def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None):
     """Retrieve the certificate from the server at the specified address,
     and return it as a PEM-encoded string.
     If 'ca_certs' is specified, validate the server cert against it.
diff -r 37801e3b82e4 -r a8c4925e2359 Misc/NEWS
--- a/Misc/NEWS	Tue Jan 06 00:40:43 2015 -0600
+++ b/Misc/NEWS	Tue Jan 06 12:21:26 2015 +0100
@@ -44,6 +44,11 @@
 Library
 -------
 
+- Issue #20896, #22935: The :func:`ssl.get_server_certificate` function now
+  uses the :data:`~ssl.PROTOCOL_SSLv23` protocol by default, not
+  :data:`~ssl.PROTOCOL_SSLv3`, for maximum compatibility and support platforms
+  where :data:`~ssl.PROTOCOL_SSLv3` support is disabled.
+
 - Issue #23111: In the ftplib, make ssl.PROTOCOL_SSLv23 the default protocol
   version.