pep 476: verify certificates by default (#22417)

3 files changed, 31 insertions, 7 deletions

diff --git a/Doc/library/httplib.rst b/Doc/library/httplib.rst
index 23b0e64..b659fd0 100644
--- a/Doc/library/httplib.rst
+++ b/Doc/library/httplib.rst
@@ -90,9 +90,6 @@ The module provides the following classes:
       server's certificate.  If you want to change that behaviour, you can
       explicitly set *check_hostname* to False.
 
-   .. warning::
-      This does not do any verification of the server's certificate.
-
    .. versionadded:: 2.0
 
    .. versionchanged:: 2.6
@@ -104,6 +101,11 @@ The module provides the following classes:
    .. versionchanged:: 2.7.9
       *context* and *check_hostname* was added.
 
+      This class now performs all the necessary certificate and hostname checks
+      by default. To revert to the previous, unverified, behavior
+      :func:`ssl._create_unverified_context` can be passed to the *context*
+      parameter.
+
 
 .. class:: HTTPResponse(sock, debuglevel=0, strict=0)
 
diff --git a/Doc/library/xmlrpclib.rst b/Doc/library/xmlrpclib.rst
index 720da39..3aa8be0 100644
--- a/Doc/library/xmlrpclib.rst
+++ b/Doc/library/xmlrpclib.rst
@@ -34,11 +34,10 @@ between conformable Python objects and XML on the wire.
    constructed data.  If you need to parse untrusted or unauthenticated data see
    :ref:`xml-vulnerabilities`.
 
-.. warning::
-
-   In the case of https URIs, :mod:`xmlrpclib` does not do any verification of
-   the server's certificate.
+.. versionchanged:: 2.7.9
 
+   For https URIs, :mod:`xmlrpclib` now performs all the necessary certificate
+   and hostname checks by default
 
 .. class:: ServerProxy(uri[, transport[, encoding[, verbose[,  allow_none[, use_datetime]]]]])
 
diff --git a/Doc/whatsnew/2.7.rst b/Doc/whatsnew/2.7.rst
index 9b02687..65eaf17 100644
--- a/Doc/whatsnew/2.7.rst
+++ b/Doc/whatsnew/2.7.rst
@@ -2646,6 +2646,29 @@ and :ref:`distutils-index`.
       PEP written by Donald Stufft and Nick Coghlan, implemented by
       Donald Stufft, Nick Coghlan, Martin von Löwis and Ned Deily.
 
+PEP 476: Enabling certificate verification by default for stdlib http clients
+-----------------------------------------------------------------------------
+
+:mod:`httplib` and modules which use it, such as :mod:`urllib2` and
+:mod:`xmlrpclib`, will now verify that the server presents a certificate
+which is signed by a CA in the platform trust store and whose hostname matches
+the hostname being requested by default, significantly improving security for
+many applications.
+
+For applications which require the old previous behavior, they can pass an
+alternate context::
+
+    import urllib2
+    import ssl
+
+    # This disables all verification
+    context = ssl._create_unverified_context()
+
+    # This allows using a specific certificate for the host, which doesn't need
+    # to be in the trust store
+    context = ssl.create_default_context(cafile="/path/to/file.crt")
+
+    urllib2.urlopen("https://invalid-cert", context=context)
 
 .. ======================================================================