Re: [Django] #35653: SSL error sending mail

Thu, 01 Aug 2024 12:47:40 -0700 

#35653: SSL error sending mail
-----------------------------+--------------------------------------
     Reporter:  dkaylor      |                    Owner:  (none)
         Type:  Bug          |                   Status:  new
    Component:  Core (Mail)  |                  Version:  4.2
     Severity:  Normal       |               Resolution:
     Keywords:               |             Triage Stage:  Unreviewed
    Has patch:  0            |      Needs documentation:  0
  Needs tests:  0            |  Patch needs improvement:  0
Easy pickings:  0            |                    UI/UX:  0
-----------------------------+--------------------------------------
Comment (by Mike Edmunds):

 This makes sense to me, but Python's SSL/TLS is a little outside my
 expertise. It would be good to get Mariusz's input.

 Django 4.2 changed to use ssl.create_default_context() if neither certfile
 nor keyfile is set. This enables certificate validation and hostname
 checking, and is a Python [https://docs.python.org/3/library/ssl.html
 #security-considerations ssl security best practice].

 I wonder if we shouldn't also be using
 ssl.create_default_context(capath=...) when an EMAIL_SSL_CERTFILE is
 provided, for exactly the same reasons? Followed by load_cert_chain() when
 necessary. (This would require a release note
 
[https://docs.djangoproject.com/en/4.2/releases/4.2/#miscellaneous:~:text=EmailBackend%20now%20verifies%20a%20hostname%20and%20certificates.%20If%20you%20need%20the%20previous%20behavior%20that%20is%20less%20restrictive%20and%20not%20recommended%2C%20subclass%20EmailBackend%20and%20override%20the%20ssl_context%20property.
 similar to the one in 4.2].)

 See also ticket:34550 and [https://stackoverflow.com/a/78474038 this
 StackOverflow answer].
-- 
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/010701910f7bbb4e-4ca34f89-0549-49a3-b257-b9a8b2bbe320-000000%40eu-central-1.amazonses.com.

Reply via email to