merge 3.4 (#25530)

diff --cc Lib/test/test_ssl.py
index f314ff41daf20afd3d5bf11d6098c79f4dbc1922,a44054cc75dcb4b050afaef5be3245e0969c66d0..548feebb82aeae7fcfb7d1e113b88f2bd68dd595
--- 1/Lib/test/test_ssl.py
--- 2/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@@ -2451,19 -2172,19 +2451,19 @@@ else
                              " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
                              % str(x))
              if hasattr(ssl, 'PROTOCOL_SSLv3'):
-                 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3')
+                 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False)
              try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)
 -            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True)
 +            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1')
  
              if hasattr(ssl, 'PROTOCOL_SSLv3'):
-                 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL)
+                 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)
              try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL)
 -            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL)
 +            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
  
              if hasattr(ssl, 'PROTOCOL_SSLv3'):
-                 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED)
+                 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)
              try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED)
 -            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED)
 +            try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
  
              # Server with specific SSL options
              if hasattr(ssl, 'PROTOCOL_SSLv3'):

diff --cc Misc/NEWS
index 85dd15864acce6e28cafe8accfc46592564d4a89,89f6d83c6929b5b49d058a6700bed301542c3da7..c79ac83383fe6e70734aee83e23c10b221031069
--- 1/Misc/NEWS
--- 2/Misc/NEWS
+++ b/Misc/NEWS
@@@ -217,26 -208,6 +217,29 @@@ Librar
  - Issue #16180: Exit pdb if file has syntax error, instead of trapping user
    in an infinite loop.  Patch by Xavier de Gaye.
  
 +- Issue #24891: Fix a race condition at Python startup if the file descriptor
 +  of stdin (0), stdout (1) or stderr (2) is closed while Python is creating
 +  sys.stdin, sys.stdout and sys.stderr objects. These attributes are now set
 +  to None if the creation of the object failed, instead of raising an OSError
 +  exception. Initial patch written by Marco Paolini.
 +
 +- Issue #24992: Fix error handling and a race condition (related to garbage
 +  collection) in collections.OrderedDict constructor.
 +
 +- Issue #24881: Fixed setting binary mode in Python implementation of FileIO
 +  on Windows and Cygwin.  Patch from Akira Li.
 +
++- Issue #25530: Disable the vulnerable SSLv3 protocol by default when creating
++  ssl.SSLContext.
++
 +- Issue #25569: Fix memory leak in SSLSocket.getpeercert().
 +
 +- Issue #25471: Sockets returned from accept() shouldn't appear to be
 +  nonblocking.
 +
 +- Issue #25319: When threading.Event is reinitialized, the underlying condition
 +  should use a regular lock rather than a recursive lock.
 +
  - Issue #21112: Fix regression in unittest.expectedFailure on subclasses.
    Patch from Berker Peksag.
  

diff --cc Modules/_ssl.c
Simple merge