summaryrefslogtreecommitdiffstats
path: root/Doc
diff options
context:
space:
mode:
authorDonald Stufft <donald@stufft.io>2014-03-24 23:26:03 (GMT)
committerDonald Stufft <donald@stufft.io>2014-03-24 23:26:03 (GMT)
commit4137465bf546964736e45bed16a15d05000b26e8 (patch)
tree04af280f096e0831f68799b32db419e7f82265a0 /Doc
parentd9a735234813fec6df7fe080f46e9cfd5a564c57 (diff)
downloadcpython-4137465bf546964736e45bed16a15d05000b26e8.zip
cpython-4137465bf546964736e45bed16a15d05000b26e8.tar.gz
cpython-4137465bf546964736e45bed16a15d05000b26e8.tar.bz2
Issue #21043: Remove the recommendation for specific CA organizations
Closes #21043 by updating the documentation to remove specific CA organizations and update the text to no longer need to tell you to download root certificates, but instead use the OS certificates avaialble through SSLContext.load_default_certs.
Diffstat (limited to 'Doc')
-rw-r--r--Doc/library/ssl.rst17
1 files changed, 3 insertions, 14 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 9b74ccf..94a0c81 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -1339,20 +1339,9 @@ If you are going to require validation of the other side of the connection's
certificate, you need to provide a "CA certs" file, filled with the certificate
chains for each issuer you are willing to trust. Again, this file just contains
these chains concatenated together. For validation, Python will use the first
-chain it finds in the file which matches. Some "standard" root certificates are
-available from various certification authorities: `CACert.org
-<http://www.cacert.org/index.php?id=3>`_, `Thawte
-<http://www.thawte.com/roots/>`_, `Verisign
-<http://www.verisign.com/support/roots.html>`_, `Positive SSL
-<http://www.PositiveSSL.com/ssl-certificate-support/cert_installation/UTN-USERFirst-Hardware.crt>`_
-(used by python.org), `Equifax and GeoTrust
-<http://www.geotrust.com/resources/root_certificates/index.asp>`_.
-
-In general, if you are using SSL3 or TLS1, you don't need to put the full chain
-in your "CA certs" file; you only need the root certificates, and the remote
-peer is supposed to furnish the other certificates necessary to chain from its
-certificate to a root certificate. See :rfc:`4158` for more discussion of the
-way in which certification chains can be built.
+chain it finds in the file which matches. The platform's certificates file can
+be used by calling :meth:`SSLContext.load_default_certs`, this is done
+automatically with :func:`.create_default_context`.
Combined key and certificate
^^^^^^^^^^^^^^^^^^^^^^^^^^^^