Message 213537 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	christian.heimes, ezio.melotti, loewis, pitrou, r.david.murray, rhettinger, vstinner
Date	2014-03-14.11:53:36
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1394798016.95.0.995358498575.issue20913@psf.upfronthosting.co.za>
In-reply-to

Content
http://docs.python.org/3.4/library/ssl.html#ssl-security doesn't mention http://docs.python.org/3.4/library/ssl.html#ssl.create_default_context and http://docs.python.org/3.4/library/ssl.html#ssl.SSLContext.check_hostname . I planed to write a paragraph about context but my personal life got into my way (new job, relocation, new apartment). Can somebody please write a few sentences that explain that: * no stdlib module verifies SSL cert chain and hostname (except for asyncio) * developers must pass a correctly configured context to stdlib modules to get validation and hostname matching * ssl.create_default_context() returns a context with sensible default settings and pre-loaded root CA certs on most systems. Example: >>> import ssl, smtplib >>> smtp = smtplib.SMTP("mail.python.org", port=587) >>> context = ssl.create_default_context() >>> smtp.starttls(context=context) (220, b'2.0.0 Ready to start TLS') Example with missing root CA: >>> smtp = smtplib.SMTP("mail.python.org", port=587) >>> context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) >>> context.verify_mode = ssl.CERT_REQUIRED >>> smtp.starttls(context=context) Traceback (most recent call last): ... ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)

http://docs.python.org/3.4/library/ssl.html#ssl-security doesn't mention http://docs.python.org/3.4/library/ssl.html#ssl.create_default_context and http://docs.python.org/3.4/library/ssl.html#ssl.SSLContext.check_hostname . I planed to write a paragraph about context but my personal life got into my way (new job, relocation, new apartment).

Can somebody please write a few sentences that explain that:

* no stdlib module verifies SSL cert chain and hostname (except for asyncio)
* developers must pass a correctly configured context to stdlib modules to get validation and hostname matching
* ssl.create_default_context() returns a context with sensible default settings *and* pre-loaded root CA certs on most systems.

Example:

>>> import ssl, smtplib
>>> smtp = smtplib.SMTP("mail.python.org", port=587)
>>> context = ssl.create_default_context()
>>> smtp.starttls(context=context)
(220, b'2.0.0 Ready to start TLS')

Example with missing root CA:

>>> smtp = smtplib.SMTP("mail.python.org", port=587)
>>> context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
>>> context.verify_mode = ssl.CERT_REQUIRED
>>> smtp.starttls(context=context)
Traceback (most recent call last):
...
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)

History
Date	User	Action	Args
2014-03-14 11:53:36	christian.heimes	set	recipients: + christian.heimes, loewis, rhettinger, pitrou, vstinner, ezio.melotti, r.david.murray
2014-03-14 11:53:36	christian.heimes	set	messageid: <1394798016.95.0.995358498575.issue20913@psf.upfronthosting.co.za>
2014-03-14 11:53:36	christian.heimes	link	issue20913 messages
2014-03-14 11:53:36	christian.heimes	create