summaryrefslogtreecommitdiffstats
path: root/Doc/library/ssl.rst
diff options
context:
space:
mode:
authorWilliam Woodruff <william@yossarian.net>2024-03-06 21:44:58 (GMT)
committerGitHub <noreply@github.com>2024-03-06 21:44:58 (GMT)
commit0876b921b28bb14e3fa61b188e52fc9b4c77cb1a (patch)
tree62bc49024ede52d872ea9a270390bb338709b653 /Doc/library/ssl.rst
parentea1803e608a7aaf9cf2c07e510d8540d46d3b9ad (diff)
downloadcpython-0876b921b28bb14e3fa61b188e52fc9b4c77cb1a.zip
cpython-0876b921b28bb14e3fa61b188e52fc9b4c77cb1a.tar.gz
cpython-0876b921b28bb14e3fa61b188e52fc9b4c77cb1a.tar.bz2
gh-107361: strengthen default SSL context flags (#112389)
This adds `VERIFY_X509_STRICT` to make the default SSL context perform stricter (per RFC 5280) validation, as well as `VERIFY_X509_PARTIAL_CHAIN` to enforce more standards-compliant path-building behavior. As part of this changeset, I had to tweak `make_ssl_certs.py` slightly to emit 5280-conforming CA certs. This changeset includes the regenerated certificates after that change. Signed-off-by: William Woodruff <william@yossarian.net> Co-authored-by: Victor Stinner <vstinner@python.org>
Diffstat (limited to 'Doc/library/ssl.rst')
-rw-r--r--Doc/library/ssl.rst20
1 files changed, 20 insertions, 0 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 84b3c25..3564855 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -151,6 +151,12 @@ purposes.
variable :envvar:`SSLKEYLOGFILE` is set, :func:`create_default_context`
enables key logging.
+ The default settings for this context include
+ :data:`VERIFY_X509_PARTIAL_CHAIN` and :data:`VERIFY_X509_STRICT`.
+ These make the underlying OpenSSL implementation behave more like
+ a conforming implementation of :rfc:`5280`, in exchange for a small
+ amount of incompatibility with older X.509 certificates.
+
.. note::
The protocol, options, cipher and other settings may change to more
restrictive values anytime without prior deprecation. The values
@@ -172,6 +178,15 @@ purposes.
ctx = ssl.create_default_context(Purpose.CLIENT_AUTH)
ctx.options &= ~ssl.OP_NO_SSLv3
+ .. note::
+ This context enables :data:`VERIFY_X509_STRICT` by default, which
+ may reject pre-:rfc:`5280` or malformed certificates that the
+ underlying OpenSSL implementation otherwise would accept. While disabling
+ this is not recommended, you can do so using::
+
+ ctx = ssl.create_default_context()
+ ctx.verify_flags &= ~ssl.VERIFY_X509_STRICT
+
.. versionadded:: 3.4
.. versionchanged:: 3.4.4
@@ -194,6 +209,11 @@ purposes.
:data:`PROTOCOL_TLS_SERVER` protocol instead of generic
:data:`PROTOCOL_TLS`.
+ .. versionchanged:: 3.13
+
+ The context now uses :data:`VERIFY_X509_PARTIAL_CHAIN` and
+ :data:`VERIFY_X509_STRICT` in its default verify flags.
+
Exceptions
^^^^^^^^^^