To find out why you need to ban it, search for SSL POODLE. If you replace sslv23 with tlsv1 from the server, clients still using sslv23 will not be able to connect. You need to patch python itself here.
Download and unzip the python2.6 source package
wget http://vault.centos.org/6.5/updates/Source/SPackages/python-2.6.6-52.el6.src.rpm
mkdir -p ~/rpmbuild/SOURCES
cd ~/rpmbuild/SOURCES
wget http://vault.centos.org/6.5/updates/Source/SPackages/python-2.6.6-52.el6.src.rpm
rpm2cpio python-2.6.6-52.el6.src.rpm | cpio -idmv
Apply the patch
disable-ssl3.patch
--- /dev/null
+++ b/SOURCES/python-2.6-disable-ssl3.patch
@@ -0,0 +1,17 @@
+--- Python-2.6.6.orig/Modules/_ssl.c
++++ Python-2.6.6/Modules/_ssl.c
+@@ -359,7 +386,12 @@ newPySSLObject(PySocketSockObject *Sock, char *key_file, char *cert_file,
+ }
+
+ /* ssl compatibility */
+- SSL_CTX_set_options(self->ctx, SSL_OP_ALL);
++ long options = SSL_OP_ALL;
++ if (proto_version != PY_SSL_VERSION_SSL2)
++ options |= SSL_OP_NO_SSLv2;
++ if (proto_version != PY_SSL_VERSION_SSL3)
++ options |= SSL_OP_NO_SSLv3;
++ SSL_CTX_set_options(self->ctx, options);
+
+ verification_mode = SSL_VERIFY_NONE;
+ if (certreq == PY_SSL_CERT_OPTIONAL)
+
--- a/SOURCES.bak/python.spec
+++ b/SOURCES/python.spec
@@ -47,7 +47,7 @@
Summary: An interpreted, interactive, object-oriented programming language
Name: %{python}
Version: 2.6.6
-Release: 52%{?dist}
+Release: 52%{?dist}_1
License: Python
Group: Development/Languages
Provides: python-abi = %{pybasever}
@@ -453,6 +453,7 @@ Patch171: python-2.6.6-CVE-2013-4238-hostname-check-bypass-in-SSL-module.patch
# (rhbz#1002983)
Patch172: python-2.6.6-ssl-memory-leak-_get_peer_alt_names.patch
+Patch10000: python-2.6-disable-ssl3.patch
# The core python package contains just the executable and manpages; most of
# the content is now in the -libs subpackage.
@@ -790,6 +791,8 @@ mv Modules/cryptmodule.c Modules/_cryptmodule.c
%patch172 -p1
+%patch10000 -p1
+
# Don't build these crypto algorithms; instead rely on _hashlib and OpenSSL:
for f in md5module.c md5.c shamodule.c sha256module.c sha512module.c; do
rm Modules/$f
Run this command after putting this file in ~ /
patch < ~/disable-ssl3.patch
Rebuild
rpmbuild -ba python.spec
All you have to do is install the last rpm.
openssl s_client -connect ip:port -ssl3
If the handshake fails due to an error, it will be successful.
Recommended Posts