classification
Title: Add warning that Python doesn't verify SSL certs by default
Type: enhancement Stage: resolved
Components: Documentation Versions: Python 3.3, Python 3.4
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: docs@python Nosy List: christian.heimes, docs@python, georg.brandl, giampaolo.rodola, janssen, pitrou, python-dev, vstinner
Priority: high Keywords: patch

Created on 2013-11-05 22:52 by christian.heimes, last changed 2013-12-22 17:48 by pitrou. This issue is now closed.

Files
File name Uploaded Description Edit
sslsec.patch pitrou, 2013-11-17 14:15
Messages (9)
msg202245 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-11-05 22:52
Developers are still surprised that Python's ssl library doesn't validate SSL certs by default. We should add a *big* warning to the SSL module as well as to all consumers (http, ftp, imap, pop, smtp, nntp ...) that neither the CA cert chain nor the hostname are validated by default. (AFAIK only http.client does match_hostname()).
msg202256 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-11-06 08:54
There is already an entire section about this:
http://docs.python.org/dev/library/ssl.html#security-considerations

It's up to consumers of the API to choose their security policy, the ssl module merely provides building blocks to implement it. I think the ssl docs are sufficiently explicit about it right now, we're not going to add warnings every time we think something is important to read.

As for "developers [who] are still surprised", well, most of them shouldn't use the ssl module directly.
msg202257 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2013-11-06 09:29
> There is already an entire section about this:
> http://docs.python.org/dev/library/ssl.html#security-considerations

So we just need to add a link from http, ftp, imap, ... to this section?

Using only http://docs.python.org/dev/library/ftplib.html#ftp-tls-objects documentation, I don't see how to plug my own SSL validation code. I don't see any SSL context object or things like that.
msg203157 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-11-17 14:01
I suggest that we add a red warning box at the top of the SSL module, too.
msg203163 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-11-17 14:15
Something like the following?
msg203176 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2013-11-17 14:35
Sounds good.
msg203178 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2013-11-17 14:36
New changeset f86fdaf529ea by Antoine Pitrou in branch '3.3':
Issue #19508: direct the user to read the security considerations for the ssl module
http://hg.python.org/cpython/rev/f86fdaf529ea

New changeset 18d95780100e by Antoine Pitrou in branch 'default':
Issue #19508: direct the user to read the security considerations for the ssl module
http://hg.python.org/cpython/rev/18d95780100e
msg203182 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2013-11-17 14:43
New changeset a197b3c3b2c9 by Antoine Pitrou in branch '2.7':
Issue #19508: warn that ssl doesn't validate certificates by default
http://hg.python.org/cpython/rev/a197b3c3b2c9
msg203184 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-11-17 14:43
I've added a different warning to 2.7, as the ssl docs there don't have the "security considerations" section.
History
Date User Action Args
2013-12-22 17:48:59pitrousetstatus: open -> closed
2013-11-17 14:43:40pitrousetresolution: fixed
stage: needs patch -> resolved
messages: + msg203184
versions: - Python 2.7, Python 3.2
2013-11-17 14:43:04python-devsetmessages: + msg203182
2013-11-17 14:36:13python-devsetnosy: + python-dev
messages: + msg203178
2013-11-17 14:35:19georg.brandlsetnosy: + georg.brandl
messages: + msg203176
2013-11-17 14:15:36pitrousetfiles: + sslsec.patch
keywords: + patch
messages: + msg203163
2013-11-17 14:01:35christian.heimessetmessages: + msg203157
2013-11-06 09:29:15vstinnersetnosy: + vstinner
messages: + msg202257
2013-11-06 08:54:56pitrousetmessages: + msg202256
2013-11-05 22:52:07christian.heimescreate