summaryrefslogtreecommitdiffstats
path: root/Doc
diff options
context:
space:
mode:
authorAntoine Pitrou <solipsis@pitrou.net>2013-12-28 16:30:51 (GMT)
committerAntoine Pitrou <solipsis@pitrou.net>2013-12-28 16:30:51 (GMT)
commite6d2f159fcadd5fc336970110c49bba706b9787e (patch)
treeb7776304fedf69f6073b393b822dcd3519f2d859 /Doc
parentc1764dd3506e70d19d1bdda171b7812d416ad92f (diff)
parent3e86ba4e321d20931648d110e1be12643cb8ff04 (diff)
downloadcpython-e6d2f159fcadd5fc336970110c49bba706b9787e.zip
cpython-e6d2f159fcadd5fc336970110c49bba706b9787e.tar.gz
cpython-e6d2f159fcadd5fc336970110c49bba706b9787e.tar.bz2
Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
Diffstat (limited to 'Doc')
-rw-r--r--Doc/library/ssl.rst22
1 files changed, 14 insertions, 8 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index e2d3c3f..76bb432 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -142,13 +142,16 @@ instead.
Takes an instance ``sock`` of :class:`socket.socket`, and returns an instance
of :class:`ssl.SSLSocket`, a subtype of :class:`socket.socket`, which wraps
- the underlying socket in an SSL context. For client-side sockets, the
- context construction is lazy; if the underlying socket isn't connected yet,
- the context construction will be performed after :meth:`connect` is called on
- the socket. For server-side sockets, if the socket has no remote peer, it is
- assumed to be a listening socket, and the server-side SSL wrapping is
- automatically performed on client connections accepted via the :meth:`accept`
- method. :func:`wrap_socket` may raise :exc:`SSLError`.
+ the underlying socket in an SSL context. ``sock`` must be a
+ :data:`~socket.SOCK_STREAM` socket; other socket types are unsupported.
+
+ For client-side sockets, the context construction is lazy; if the
+ underlying socket isn't connected yet, the context construction will be
+ performed after :meth:`connect` is called on the socket. For
+ server-side sockets, if the socket has no remote peer, it is assumed
+ to be a listening socket, and the server-side SSL wrapping is
+ automatically performed on client connections accepted via the
+ :meth:`accept` method. :func:`wrap_socket` may raise :exc:`SSLError`.
The ``keyfile`` and ``certfile`` parameters specify optional files which
contain a certificate to be used to identify the local side of the
@@ -1146,7 +1149,10 @@ to speed up repeated connections from the same clients.
server_hostname=None)
Wrap an existing Python socket *sock* and return an :class:`SSLSocket`
- object. The SSL socket is tied to the context, its settings and
+ object. *sock* must be a :data:`~socket.SOCK_STREAM` socket; other socket
+ types are unsupported.
+
+ The returned SSL socket is tied to the context, its settings and
certificates. The parameters *server_side*, *do_handshake_on_connect*
and *suppress_ragged_eofs* have the same meaning as in the top-level
:func:`wrap_socket` function.