summaryrefslogtreecommitdiffstats
path: root/Doc/library/ssl.rst
diff options
context:
space:
mode:
authorChristian Heimes <christian@python.org>2019-09-12 11:10:05 (GMT)
committerStéphane Wirtel <stephane@wirtel.be>2019-09-12 11:10:05 (GMT)
commit894d0f7d5542ee04556ec1bee8c58506f7c916d4 (patch)
treef4af9a801f9bfb94e7ff296b8a271fdc09e74b5f /Doc/library/ssl.rst
parentf545638b5701652ffbe1774989533cdf5bc6631e (diff)
downloadcpython-894d0f7d5542ee04556ec1bee8c58506f7c916d4.zip
cpython-894d0f7d5542ee04556ec1bee8c58506f7c916d4.tar.gz
cpython-894d0f7d5542ee04556ec1bee8c58506f7c916d4.tar.bz2
bpo-32008: Prefer client or TLSv1_2 in examples (GH-5797)
Prefer client or TLSv1_2 in examples Signed-off-by: Christian Heimes <christian@python.org>
Diffstat (limited to 'Doc/library/ssl.rst')
-rw-r--r--Doc/library/ssl.rst22
1 files changed, 14 insertions, 8 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 2db48ae..b7af496 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -1882,13 +1882,15 @@ to speed up repeated connections from the same clients.
:meth:`~SSLContext.wrap_socket` in order to match the hostname. Enabling
hostname checking automatically sets :attr:`~SSLContext.verify_mode` from
:data:`CERT_NONE` to :data:`CERT_REQUIRED`. It cannot be set back to
- :data:`CERT_NONE` as long as hostname checking is enabled.
+ :data:`CERT_NONE` as long as hostname checking is enabled. The
+ :data:`PROTOCOL_TLS_CLIENT` protocol enables hostname checking by default.
+ With other protocols, hostname checking must be enabled explicitly.
Example::
import socket, ssl
- context = ssl.SSLContext()
+ context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.verify_mode = ssl.CERT_REQUIRED
context.check_hostname = True
context.load_default_certs()
@@ -2217,19 +2219,23 @@ If you prefer to tune security settings yourself, you might create
a context from scratch (but beware that you might not get the settings
right)::
- >>> context = ssl.SSLContext()
- >>> context.verify_mode = ssl.CERT_REQUIRED
- >>> context.check_hostname = True
+ >>> context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
>>> context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt")
(this snippet assumes your operating system places a bundle of all CA
certificates in ``/etc/ssl/certs/ca-bundle.crt``; if not, you'll get an
error and have to adjust the location)
+The :data:`PROTOCOL_TLS_CLIENT` protocol configures the context for cert
+validation and hostname verification. :attr:`~SSLContext.verify_mode` is
+set to :data:`CERT_REQUIRED` and :attr:`~SSLContext.check_hostname` is set
+to ``True``. All other protocols create SSL contexts with insecure defaults.
+
When you use the context to connect to a server, :const:`CERT_REQUIRED`
-validates the server certificate: it ensures that the server certificate
-was signed with one of the CA certificates, and checks the signature for
-correctness::
+and :attr:`~SSLContext.check_hostname` validate the server certificate: it
+ensures that the server certificate was signed with one of the CA
+certificates, checks the signature for correctness, and verifies other
+properties like validity and identity of the hostname::
>>> conn = context.wrap_socket(socket.socket(socket.AF_INET),
... server_hostname="www.python.org")