diff options
| author | Christian Heimes <christian@python.org> | 2017-09-15 18:29:57 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-09-15 18:29:57 (GMT) |
| commit | e82c034496512139e9ea3f68ceda86c04bc7baab (patch) | |
| tree | 1fab1d26c6edba33d400598e705dd7269cf77e12 /Doc/library/ssl.rst | |
| parent | a170fa162dc03f0a014373349e548954fff2e567 (diff) | |
| download | cpython-e82c034496512139e9ea3f68ceda86c04bc7baab.zip cpython-e82c034496512139e9ea3f68ceda86c04bc7baab.tar.gz cpython-e82c034496512139e9ea3f68ceda86c04bc7baab.tar.bz2 | |
bpo-31431: SSLContext.check_hostname auto-sets CERT_REQUIRED (#3531)
Signed-off-by: Christian Heimes <christian@python.org>
Diffstat (limited to 'Doc/library/ssl.rst')
| -rw-r--r-- | Doc/library/ssl.rst | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index eb4d8ac..1f3e8d5 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -1674,7 +1674,10 @@ to speed up repeated connections from the same clients. :meth:`SSLSocket.do_handshake`. The context's :attr:`~SSLContext.verify_mode` must be set to :data:`CERT_OPTIONAL` or :data:`CERT_REQUIRED`, and you must pass *server_hostname* to - :meth:`~SSLContext.wrap_socket` in order to match the hostname. + :meth:`~SSLContext.wrap_socket` in order to match the hostname. Enabling + hostname checking automatically sets :attr:`~SSLContext.verify_mode` from + :data:`CERT_NONE` to :data:`CERT_REQUIRED`. It cannot be set back to + :data:`CERT_NONE` as long as hostname checking is enabled. Example:: @@ -1691,6 +1694,13 @@ to speed up repeated connections from the same clients. .. versionadded:: 3.4 + .. versionchanged:: 3.7 + + :attr:`~SSLContext.verify_mode` is now automatically changed + to :data:`CERT_REQUIRED` when hostname checking is enabled and + :attr:`~SSLContext.verify_mode` is :data:`CERT_NONE`. Previously + the same operation would have failed with a :exc:`ValueError`. + .. note:: This features requires OpenSSL 0.9.8f or newer. |