This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: SSL create_default_socket purpose insufficiently documented
Type: enhancement Stage: resolved
Components: Documentation, SSL Versions: Python 3.7, Python 3.6
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: docs@python Nosy List: christian.heimes, docs@python, martin.panter, messa
Priority: normal Keywords:

Created on 2015-06-26 13:05 by messa, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (2)
msg245852 - (view) Author: Petr Messner (messa) Date: 2015-06-26 13:05
Please, is it possible to put more information about the purpose parameter to the documentation of ssl.create_default_context()? It's not obvious that SERVER_AUTH should be used for client sockets and not server sockets. It took me a while to discover this, while all I was getting was only "SSLEOFError: EOF occurred in violation of protocol" (which is also not helpful).

This is especially confusing, because OpenSSL uses serverAuth and clientAuth (for extendedKeyUsage configuration) in the exactly opposite meaning.
msg245853 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2015-06-26 13:29
Python uses serverAuth and clientAuth in the exact same meaning as EKU (extended key usage). In order to create X.509 cert for a web server, it should have EKU "SSL/TLS Web Server Authentication". On the other hand a client must validate the cert for a specific purpose, too. So the client creates a context with purpose SERVER_AUTH. This loads only trust anchors which are flagged with EKU "SSL/TLS Web Server Authentication".

For TLS/SSL server it is the other way around. The server side uses a context with CLIENT_AUTH to load only root certs that can validate client certs. Other purposes aren't supported because Python's ssl does neither support S/MIME nor code signing.

https://docs.python.org/2/library/ssl.html#ssl.SSLContext.load_default_certs explains the purpose flags, too.
History
Date User Action Args
2022-04-11 14:58:18adminsetgithub: 68704
2017-09-07 02:37:15christian.heimessetstatus: open -> closed
resolution: out of date
stage: resolved
2016-09-15 07:54:16christian.heimessetcomponents: + SSL
2016-09-08 15:25:40christian.heimessetversions: + Python 3.6, Python 3.7, - Python 3.4
2015-06-27 01:10:36martin.pantersetnosy: + martin.panter
2015-06-26 13:29:40christian.heimessetnosy: + christian.heimes
messages: + msg245853
2015-06-26 13:05:40messacreate