Developers are still surprised that Python's ssl library doesn't validate SSL certs by default. We should add a *big* warning to the SSL module as well as to all consumers (http, ftp, imap, pop, smtp, nntp ...) that neither the CA cert chain nor the hostname are validated by default. (AFAIK only http.client does match_hostname()).

There is already an entire section about this:
http://docs.python.org/dev/library/ssl.html#security-considerations

It's up to consumers of the API to choose their security policy, the ssl module merely provides building blocks to implement it. I think the ssl docs are sufficiently explicit about it right now, we're not going to add warnings every time we think something is important to read.

As for "developers [who] are still surprised", well, most of them shouldn't use the ssl module directly.

> There is already an entire section about this:
> http://docs.python.org/dev/library/ssl.html#security-considerations

So we just need to add a link from http, ftp, imap, ... to this section?

Using only http://docs.python.org/dev/library/ftplib.html#ftp-tls-objects documentation, I don't see how to plug my own SSL validation code. I don't see any SSL context object or things like that.

I suggest that we add a red warning box at the top of the SSL module, too.

Something like the following?

Sounds good.

New changeset f86fdaf529ea by Antoine Pitrou in branch '3.3':
Issue #19508: direct the user to read the security considerations for the ssl module
http://hg.python.org/cpython/rev/f86fdaf529ea

New changeset 18d95780100e by Antoine Pitrou in branch 'default':
Issue #19508: direct the user to read the security considerations for the ssl module
http://hg.python.org/cpython/rev/18d95780100e

New changeset a197b3c3b2c9 by Antoine Pitrou in branch '2.7':
Issue #19508: warn that ssl doesn't validate certificates by default
http://hg.python.org/cpython/rev/a197b3c3b2c9

I've added a different warning to 2.7, as the ssl docs there don't have the "security considerations" section.