diff options
author | Antoine Pitrou <solipsis@pitrou.net> | 2013-12-28 16:26:33 (GMT) |
---|---|---|
committer | Antoine Pitrou <solipsis@pitrou.net> | 2013-12-28 16:26:33 (GMT) |
commit | 3e86ba4e321d20931648d110e1be12643cb8ff04 (patch) | |
tree | f01df34824605fa2b79dabd905d983ee0d22b44c /Doc/library | |
parent | ecff5e51a5c65037103c23c937a02184050b7117 (diff) | |
download | cpython-3e86ba4e321d20931648d110e1be12643cb8ff04.zip cpython-3e86ba4e321d20931648d110e1be12643cb8ff04.tar.gz cpython-3e86ba4e321d20931648d110e1be12643cb8ff04.tar.bz2 |
Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
Diffstat (limited to 'Doc/library')
-rw-r--r-- | Doc/library/ssl.rst | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index b13861d..ebc9a4e 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -141,13 +141,16 @@ instead. Takes an instance ``sock`` of :class:`socket.socket`, and returns an instance of :class:`ssl.SSLSocket`, a subtype of :class:`socket.socket`, which wraps - the underlying socket in an SSL context. For client-side sockets, the - context construction is lazy; if the underlying socket isn't connected yet, - the context construction will be performed after :meth:`connect` is called on - the socket. For server-side sockets, if the socket has no remote peer, it is - assumed to be a listening socket, and the server-side SSL wrapping is - automatically performed on client connections accepted via the :meth:`accept` - method. :func:`wrap_socket` may raise :exc:`SSLError`. + the underlying socket in an SSL context. ``sock`` must be a + :data:`~socket.SOCK_STREAM` socket; other socket types are unsupported. + + For client-side sockets, the context construction is lazy; if the + underlying socket isn't connected yet, the context construction will be + performed after :meth:`connect` is called on the socket. For + server-side sockets, if the socket has no remote peer, it is assumed + to be a listening socket, and the server-side SSL wrapping is + automatically performed on client connections accepted via the + :meth:`accept` method. :func:`wrap_socket` may raise :exc:`SSLError`. The ``keyfile`` and ``certfile`` parameters specify optional files which contain a certificate to be used to identify the local side of the @@ -836,7 +839,10 @@ to speed up repeated connections from the same clients. server_hostname=None) Wrap an existing Python socket *sock* and return an :class:`SSLSocket` - object. The SSL socket is tied to the context, its settings and + object. *sock* must be a :data:`~socket.SOCK_STREAM` socket; other socket + types are unsupported. + + The returned SSL socket is tied to the context, its settings and certificates. The parameters *server_side*, *do_handshake_on_connect* and *suppress_ragged_eofs* have the same meaning as in the top-level :func:`wrap_socket` function. |