Issue #9983: warn that urllib and httplib don't perform SSL certificate validation.

2 files changed, 10 insertions, 6 deletions

diff --git a/Doc/library/http.client.rst b/Doc/library/http.client.rst
index 2a5c37c..9df61b7 100644
--- a/Doc/library/http.client.rst
+++ b/Doc/library/http.client.rst
@@ -53,13 +53,13 @@ The module provides the following classes:
 .. class:: HTTPSConnection(host, port=None, key_file=None, cert_file=None, strict=None[, timeout[, source_address]])
 
    A subclass of :class:`HTTPConnection` that uses SSL for communication with
-   secure servers.  Default port is ``443``. *key_file* is the name of a PEM
-   formatted file that contains your private key. *cert_file* is a PEM formatted
-   certificate chain file.
+   secure servers.  Default port is ``443``.  *key_file* is the name of a PEM
+   formatted file that contains your private key, and *cert_file* is a PEM
+   formatted certificate chain file; both can be used for authenticating
+   yourself against the server.
 
-   .. note::
-
-      This does not do any certificate verification.
+   .. warning::
+      This does not do any verification of the server's certificate.
 
    .. versionchanged:: 3.2
       *source_address* was added.
diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst
index 1578968..4a897ad 100644
--- a/Doc/library/urllib.request.rst
+++ b/Doc/library/urllib.request.rst
@@ -11,6 +11,10 @@ The :mod:`urllib.request` module defines functions and classes which help in
 opening URLs (mostly HTTP) in a complex world --- basic and digest
 authentication, redirections, cookies and more.
 
+.. warning:: When opening HTTPS (or FTPS) URLs, it is not attempted to
+   validate the server certificate.  Use at your own risk!
+
+
 The :mod:`urllib.request` module defines the following functions: