summaryrefslogtreecommitdiffstats
path: root/Doc/whatsnew
diff options
context:
space:
mode:
authorBenjamin Peterson <benjamin@python.org>2014-11-03 19:29:33 (GMT)
committerBenjamin Peterson <benjamin@python.org>2014-11-03 19:29:33 (GMT)
commit4ffb0752710f0c0720d4f2af0c4b7ce1ebb9d2bd (patch)
tree5082a5a3f18e25c9f0c7ede2717f7170e11b722f /Doc/whatsnew
parent8cf7c1cff0f1176387118826fffdf1c517405f3a (diff)
downloadcpython-4ffb0752710f0c0720d4f2af0c4b7ce1ebb9d2bd.zip
cpython-4ffb0752710f0c0720d4f2af0c4b7ce1ebb9d2bd.tar.gz
cpython-4ffb0752710f0c0720d4f2af0c4b7ce1ebb9d2bd.tar.bz2
PEP 476: enable HTTPS certificate verification by default (#22417)
Patch by Alex Gaynor with some modifications by me.
Diffstat (limited to 'Doc/whatsnew')
-rw-r--r--Doc/whatsnew/3.4.rst29
1 files changed, 29 insertions, 0 deletions
diff --git a/Doc/whatsnew/3.4.rst b/Doc/whatsnew/3.4.rst
index 7129f54..bc3a6cc 100644
--- a/Doc/whatsnew/3.4.rst
+++ b/Doc/whatsnew/3.4.rst
@@ -2504,3 +2504,32 @@ Changes in the C API
* The ``f_tstate`` (thread state) field of the :c:type:`PyFrameObject`
structure has been removed to fix a bug: see :issue:`14432` for the
rationale.
+
+Changed in 3.4.3
+================
+
+.. _pep-476:
+
+PEP 476: Enabling certificate verification by default for stdlib http clients
+-----------------------------------------------------------------------------
+
+:mod:`http.client` and modules which use it, such as :mod:`urllib.request` and
+:mod:`xmlrpc.client`, will now verify that the server presents a certificate
+which is signed by a CA in the platform trust store and whose hostname matches
+the hostname being requested by default, significantly improving security for
+many applications.
+
+For applications which require the old previous behavior, they can pass an
+alternate context::
+
+ import urllib.request
+ import ssl
+
+ # This disables all verification
+ context = ssl._create_unverified_context()
+
+ # This allows using a specific certificate for the host, which doesn't need
+ # to be in the trust store
+ context = ssl.create_default_context(cafile="/path/to/file.crt")
+
+ urllib.request.urlopen("https://invalid-cert", context=context)