Python SSL Default Context and Missing TLS 1.1 / SSL 2 Cipher Support Explained

Understand why Python's default SSL context excludes TLS 1.1 and SSL 2 cipher support, and how to create a context that allows older TLS versions if necessary.
---
This video is based on the question https://stackoverflow.com/q/79387778/ asked by the user 'Swee from Swee Studios.' ( https://stackoverflow.com/u/20745085/ ) and on the answer https://stackoverflow.com/a/79388052/ provided by the user 'Steffen Ullrich' ( https://stackoverflow.com/u/3081018/ ) at 'Stack Overflow' website. Thanks to these great users and Stackexchange community for their contributions.

Visit these links for original content and any more details, such as alternate solutions, latest updates/developments on topic, comments, revision history etc. For example, the original title of the Question was: Python SSL default context not including TLS 1.1 or SSL 2 ciphers

Also, Content (except music) licensed under CC BY-SA https://meta.stackexchange.com/help/l...
The original Question post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license, and the original Answer post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license.

If anything seems off to you, please feel free to drop me a comment under this video.
---
Introduction

When using Python's SSL module to create secure connections, you might notice that the default SSL context excludes cipher suites for older protocols like TLS 1.1 and SSL 2. This can cause connection failures to servers or services that require these outdated protocols.

This post explains why this happens, the security considerations behind it, and how to configure Python's SSL context to explicitly enable older TLS versions if absolutely required.



Why TLS 1.1 and SSL 2 Are Missing in Python's Default SSL Context

SSL 2 and SSL 3 are obsolete: SSL 2 has been insecure for decades and is removed from modern TLS stacks. SSL 3 is rarely supported due to security flaws.

TLS 1.0 and TLS 1.1 are deprecated: Although still sometimes available, these protocols are considered weak and insecure by modern standards.

Default context prioritizes security: Python’s ssl.create_default_context() disables protocols older than TLS 1.2 by default to protect users from vulnerabilities.

So, the absence of TLS 1.1 and SSL 2 cipher suites in the default cipher list is intentional, reflecting best security practices.



Should You Support TLS 1.0 or TLS 1.1?

Prefer upgrading: If possible, upgrade servers and clients to support TLS 1.2 or higher to ensure robust security.

Isolate legacy systems: If older protocols must be supported, restrict access to isolated or trusted networks to minimize risk.

Recognize risks: Relying on TLS 1.0 or 1.1 signals the presence of outdated and vulnerable software. br
Attacks against these versions, while sometimes theoretical, can expose sensitive data.

Treat connection failures for TLS 1.1 as a security feature, not a bug.



How to Enable TLS 1.0 and TLS 1.1 Support in Python SSL Context

If legacy support is unavoidable, you can manually configure the SSL context to permit older versions:

[[See Video to Reveal this Text or Code Snippet]]

Important Notes:

The above sets the security level to 0, which disables many modern security checks.

Use this configuration only if you understand the risks and have no alternatives.

Always prefer TLS 1.2+ when possible.

When testing connections with OpenSSL's s_client tool, specify similar options:

[[See Video to Reveal this Text or Code Snippet]]



About SSL 3 and SSL 2 Support

Enabling SSL 3 or SSL 2 usually requires:

Compiling an older OpenSSL version explicitly supporting these outdated protocols.

Modifying Python bindings or using legacy libraries.

Given their profound security flaws, modern software should not support SSL 2 or SSL 3.



Summary

Python's SSL default context excludes TLS 1.1 and SSL 2 to improve security.

Use explicit SSLContext configuration to support older TLS versions if absolutely needed.

Upgrading systems to TLS 1.2 or higher is strongly recommended.

Legacy protocol usage should be carefully isolated and managed.

Understanding these choices helps maintain secure applications while addressing legacy compatibility issues.