Hi Carlton, On Tue, Nov 24, 2020 at 11:35 AM Carlton Gibson <carlton.gib...@gmail.com> wrote:
> Ticket 31885 Update SMTP Email Backend to use an SSLContext came in for which > there's a PR adding `EMAIL_SSL_CAFILE` &co settings to match the existing > EMAIL_USE_SSL &co settings. > > The PR looks fine in itself. > > I do wonder about the growth on the number of settings here. > It looks to my eye to get out of hand. I think the main problem is that the EMAIL_SSL_* settings map directly to smtplib parameters, and the old ones are deprecated in Python already since 3.6, but not yet in Django: https://docs.python.org/3.9/library/smtplib.html#smtplib.SMTP.starttls "Deprecated since version 3.6: keyfile and certfile are deprecated in favor of context. Please use ssl.SSLContext.load_cert_chain() instead, or let ssl.create_default_context() select the system’s trusted CA certificates for you." so EMAIL_SSL_CERTFILE and EMAIL_SSL_KEYFILE in Django should be marked as deprecated; people using it should be urged to use the new settings. If I'm not mistaken the old settings also do not do hostname verification, which is a security problem. So indeed, with adding the new settings there are a bit too much EMAIL_WHATEVER settings, the old ones should be marked deprecated and probably should have been marked as such some Django releases ago. -- Michiel -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABD0r11n_B8fgLic_W%2B4xg3kbxb-%3DxCTHh2sWr8jsLYHrK%3DdOA%40mail.gmail.com.
