Message213537
http://docs.python.org/3.4/library/ssl.html#ssl-security doesn't mention http://docs.python.org/3.4/library/ssl.html#ssl.create_default_context and http://docs.python.org/3.4/library/ssl.html#ssl.SSLContext.check_hostname . I planed to write a paragraph about context but my personal life got into my way (new job, relocation, new apartment).
Can somebody please write a few sentences that explain that:
* no stdlib module verifies SSL cert chain and hostname (except for asyncio)
* developers must pass a correctly configured context to stdlib modules to get validation and hostname matching
* ssl.create_default_context() returns a context with sensible default settings *and* pre-loaded root CA certs on most systems.
Example:
>>> import ssl, smtplib
>>> smtp = smtplib.SMTP("mail.python.org", port=587)
>>> context = ssl.create_default_context()
>>> smtp.starttls(context=context)
(220, b'2.0.0 Ready to start TLS')
Example with missing root CA:
>>> smtp = smtplib.SMTP("mail.python.org", port=587)
>>> context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
>>> context.verify_mode = ssl.CERT_REQUIRED
>>> smtp.starttls(context=context)
Traceback (most recent call last):
...
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598) |
|
Date |
User |
Action |
Args |
2014-03-14 11:53:36 | christian.heimes | set | recipients:
+ christian.heimes, loewis, rhettinger, pitrou, vstinner, ezio.melotti, r.david.murray |
2014-03-14 11:53:36 | christian.heimes | set | messageid: <1394798016.95.0.995358498575.issue20913@psf.upfronthosting.co.za> |
2014-03-14 11:53:36 | christian.heimes | link | issue20913 messages |
2014-03-14 11:53:36 | christian.heimes | create | |
|