diff options
| author | Antoine Pitrou <solipsis@pitrou.net> | 2013-12-28 16:30:51 (GMT) |
|---|---|---|
| committer | Antoine Pitrou <solipsis@pitrou.net> | 2013-12-28 16:30:51 (GMT) |
| commit | e6d2f159fcadd5fc336970110c49bba706b9787e (patch) | |
| tree | b7776304fedf69f6073b393b822dcd3519f2d859 /Doc | |
| parent | c1764dd3506e70d19d1bdda171b7812d416ad92f (diff) | |
| parent | 3e86ba4e321d20931648d110e1be12643cb8ff04 (diff) | |
| download | cpython-e6d2f159fcadd5fc336970110c49bba706b9787e.zip cpython-e6d2f159fcadd5fc336970110c49bba706b9787e.tar.gz cpython-e6d2f159fcadd5fc336970110c49bba706b9787e.tar.bz2 | |
Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
Diffstat (limited to 'Doc')
| -rw-r--r-- | Doc/library/ssl.rst | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index e2d3c3f..76bb432 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -142,13 +142,16 @@ instead. Takes an instance ``sock`` of :class:`socket.socket`, and returns an instance of :class:`ssl.SSLSocket`, a subtype of :class:`socket.socket`, which wraps - the underlying socket in an SSL context. For client-side sockets, the - context construction is lazy; if the underlying socket isn't connected yet, - the context construction will be performed after :meth:`connect` is called on - the socket. For server-side sockets, if the socket has no remote peer, it is - assumed to be a listening socket, and the server-side SSL wrapping is - automatically performed on client connections accepted via the :meth:`accept` - method. :func:`wrap_socket` may raise :exc:`SSLError`. + the underlying socket in an SSL context. ``sock`` must be a + :data:`~socket.SOCK_STREAM` socket; other socket types are unsupported. + + For client-side sockets, the context construction is lazy; if the + underlying socket isn't connected yet, the context construction will be + performed after :meth:`connect` is called on the socket. For + server-side sockets, if the socket has no remote peer, it is assumed + to be a listening socket, and the server-side SSL wrapping is + automatically performed on client connections accepted via the + :meth:`accept` method. :func:`wrap_socket` may raise :exc:`SSLError`. The ``keyfile`` and ``certfile`` parameters specify optional files which contain a certificate to be used to identify the local side of the @@ -1146,7 +1149,10 @@ to speed up repeated connections from the same clients. server_hostname=None) Wrap an existing Python socket *sock* and return an :class:`SSLSocket` - object. The SSL socket is tied to the context, its settings and + object. *sock* must be a :data:`~socket.SOCK_STREAM` socket; other socket + types are unsupported. + + The returned SSL socket is tied to the context, its settings and certificates. The parameters *server_side*, *do_handshake_on_connect* and *suppress_ragged_eofs* have the same meaning as in the top-level :func:`wrap_socket` function. |