Posted by: Eric Hansen
There are two versions of SSL that Python can use, v2 and v3, and it just depends on what OpenSSL supports when Python is built. The latest builds of OpenSSL remove support for SSLv2 unless you explicitly tell it to keep such a thing, but with the security risks involved in SSLv2 it’s usually never a good idea to keep it. As such, several Linux distributions have removed the support of SSLv2 in favor of the more (but still vulnerable) SSLv3. There are still some systems, however, that do support SSLv2 in their default binary packages, such as Arch Linux.
If you’re building a program to support just that version of Linux, then that is fine. But if you’re looking for it to support Debian or Fedora as well, for example, then you will run into issues. The problem being is that if you distribute a pre-compiled version of your Python script (via using cx_freeze for example) from Arch Linux, it will not run in Debian or Ubuntu because it will default to using the SSLv2 information. However, the system you’re running it on doesn’t have support for SSLv2 and so any HTTPS attempts will result in the program terminating itself (unless you have some error checking in place).
Resolving this issue can either be very troubling, or very easy, depending on how you want to handle it. One way, which is the hardest, is to recompile OpenSSL on the development system (Arch Linux in this case) and make sure the binaries are compatible. Not only is this a time consumer, though, but it’s also not guaranteed to be foolproof. The other option is to perform some error checking, and I wrote a script just for that.
When the “ssl” module in Python is imported, it generates a list of supported protocols. In that list is, if the system’s OpenSSL supports it, is SSLv2. Below is a simple script that you can import into your program to see if SSLv2 is enabled or not: