summaryrefslogtreecommitdiffstats
path: root/Doc
diff options
context:
space:
mode:
authorAntoine Pitrou <solipsis@pitrou.net>2013-11-17 14:35:33 (GMT)
committerAntoine Pitrou <solipsis@pitrou.net>2013-11-17 14:35:33 (GMT)
commit9eefe91fc2922de7ae7eee2e55d17ea452468083 (patch)
tree4f26af870d5f33f53be4d5cb418996e1022e3ab2 /Doc
parent9d282f6b9f8458c5e39d345cfdb8a876c5095dc9 (diff)
downloadcpython-9eefe91fc2922de7ae7eee2e55d17ea452468083.zip
cpython-9eefe91fc2922de7ae7eee2e55d17ea452468083.tar.gz
cpython-9eefe91fc2922de7ae7eee2e55d17ea452468083.tar.bz2
Issue #19508: direct the user to read the security considerations for the ssl module
Diffstat (limited to 'Doc')
-rw-r--r--Doc/library/ssl.rst19
1 files changed, 14 insertions, 5 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 1c5c355..c4e1712 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -29,12 +29,10 @@ probably additional platforms, as long as OpenSSL is installed on that platform.
cause variations in behavior.
.. warning::
+ Don't use this module without reading the :ref:`ssl-security`. Doing so
+ may lead to a false sense of security, as the default settings of the
+ ssl module are not necessarily appropriate for your application.
- OpenSSL's internal random number generator does not properly handle fork.
- Applications must change the PRNG state of the parent process if they use
- any SSL feature with :func:`os.fork`. Any successful call of
- :func:`~ssl.RAND_add`, :func:`~ssl.RAND_bytes` or
- :func:`~ssl.RAND_pseudo_bytes` is sufficient.
This section documents the objects and functions in the ``ssl`` module; for more
general information about TLS, SSL, and certificates, the reader is referred to
@@ -1314,6 +1312,17 @@ format <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>`_.
If you want to check which ciphers are enabled by a given cipher list,
use the ``openssl ciphers`` command on your system.
+Multi-processing
+^^^^^^^^^^^^^^^^
+
+If using this module as part of a multi-processed application (using,
+for example the :mod:`multiprocessing` or :mod:`concurrent.futures` modules),
+be aware that OpenSSL's internal random number generator does not properly
+handle forked processes. Applications must change the PRNG state of the
+parent process if they use any SSL feature with :func:`os.fork`. Any
+successful call of :func:`~ssl.RAND_add`, :func:`~ssl.RAND_bytes` or
+:func:`~ssl.RAND_pseudo_bytes` is sufficient.
+
.. seealso::