Christian Heimes added the comment:
http://docs.python.org/3.4/library/ssl.html#ssl-security doesn't mention
http://docs.python.org/3.4/library/ssl.html#ssl.create_default_context and
http://docs.python.org/3.4/library/ssl.html#ssl.SSLContext.check_hostname . I
planed to write a paragraph about context but my personal life got into my way
(new job, relocation, new apartment).
Can somebody please write a few sentences that explain that:
* no stdlib module verifies SSL cert chain and hostname (except for asyncio)
* developers must pass a correctly configured context to stdlib modules to get
validation and hostname matching
* ssl.create_default_context() returns a context with sensible default settings
*and* pre-loaded root CA certs on most systems.
Example:
>>> import ssl, smtplib
>>> smtp = smtplib.SMTP("mail.python.org", port=587)
>>> context = ssl.create_default_context()
>>> smtp.starttls(context=context)
(220, b'2.0.0 Ready to start TLS')
Example with missing root CA:
>>> smtp = smtplib.SMTP("mail.python.org", port=587)
>>> context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
>>> context.verify_mode = ssl.CERT_REQUIRED
>>> smtp.starttls(context=context)
Traceback (most recent call last):
...
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:598)
----------
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue20913>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
