This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: Documentation of SSL library
Type: enhancement Stage: patch review
Components: Documentation Versions: Python 3.9, Python 3.8, Python 3.7
Status: open Resolution:
Dependencies: Superseder:
Assigned To: docs@python Nosy List: Christophe Nanteuil, christian.heimes, docs@python
Priority: normal Keywords: patch

Created on 2020-03-31 16:40 by Christophe Nanteuil, last changed 2022-04-11 14:59 by admin.

Pull Requests
URL Status Linked Edit
PR 19253 closed Christophe Nanteuil, 2020-03-31 16:48
Messages (4)
msg365398 - (view) Author: Christophe Nanteuil (Christophe Nanteuil) * Date: 2020-03-31 16:40
For the ssl.create_default_context() function, it states that, "if cafile, capath and cadata are None, the function *can* choose to trust the system's default CA certificates instead".
This statement is not clear as, if the values are None, there is no choice and the only elements available are system's default CA.
AFAIK, if the values are not None, it will not fall back to system's default CA even if the given CA does not match.
I propose to modify the end of the sentence with "the function trusts the system's default CA certificates instead".
msg365402 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-03-31 17:18
There are choices beyond our control. For example the operating system may not have a usable trust store. OpenSSL's builtin paths may not be correctly configured to locate the trust store. The user may have configured her/his environment to load other or no CA certs.
msg365408 - (view) Author: Christophe Nanteuil (Christophe Nanteuil) * Date: 2020-03-31 17:32
Thanks for clarifying the choice. I understand that we could state :
" if cafile ... are None, the function falls back to user/system configuration (which is beyond this documentation)."
msg365615 - (view) Author: Christophe Nanteuil (Christophe Nanteuil) * Date: 2020-04-02 18:58
I modified the PR according to the source code: 
"if all three are None and SSLContext.verify_mode is not set to CERT_NONE, this function uses the system's default CA certificates."

The way the system is configured may depend on multiple parameters but I hope this statement is clearer and it disturbs me to read that the function "can choose", all the more for a security module.
Date User Action Args
2022-04-11 14:59:28adminsetgithub: 84308
2020-04-04 03:17:20terry.reedysetversions: - Python 2.7, Python 3.5, Python 3.6
2020-04-02 18:58:48Christophe Nanteuilsetmessages: + msg365615
2020-03-31 17:32:04Christophe Nanteuilsetmessages: + msg365408
2020-03-31 17:18:20christian.heimessetnosy: + christian.heimes
messages: + msg365402
2020-03-31 16:48:39Christophe Nanteuilsetkeywords: + patch
stage: patch review
pull_requests: + pull_request18611
2020-03-31 16:40:57Christophe Nanteuilsettype: enhancement
2020-03-31 16:40:25Christophe Nanteuilcreate