bpo-31432: Clarify ssl CERT_NONE/OPTIONAL/REQUIRED docs. (GH-3530)

The documentation for CERT_NONE, CERT_OPTIONAL, and CERT_REQUIRED were misleading and partly wrong. It fails to explain that OpenSSL behaves differently in client and server mode. Also OpenSSL does validate the cert chain everytime. With SSL_VERIFY_NONE a validation error is not fatal in client mode and does not request a client cert in server mode. Also discourage people from using CERT_OPTIONAL in client mode.
author: Christian Heimes <christian@python.org> 2018-06-11 22:59:45 (GMT)
committer: Ned Deily <nad@python.org> 2018-06-11 22:59:45 (GMT)
commit: ef24b6c54d40e7820456873a6eab6ef57d2bd0db (patch)
tree: 453f2603e01d16c2be2e5b280e0fc70c6061bbb5 /Misc/NEWS.d
parent: 4b704f29f5a0b6f6d7bd67468ed004bd3a96855d (diff)
download: cpython-ef24b6c54d40e7820456873a6eab6ef57d2bd0db.zip
cpython-ef24b6c54d40e7820456873a6eab6ef57d2bd0db.tar.gz
cpython-ef24b6c54d40e7820456873a6eab6ef57d2bd0db.tar.bz2
1 files changed, 2 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Documentation/2017-09-13-07-14-59.bpo-31432.yAY4Z3.rst b/Misc/NEWS.d/next/Documentation/2017-09-13-07-14-59.bpo-31432.yAY4Z3.rst
new file mode 100644
index 0000000..18e5353
--- /dev/null
+++ b/Misc/NEWS.d/next/Documentation/2017-09-13-07-14-59.bpo-31432.yAY4Z3.rst
@@ -0,0 +1,2 @@
+Clarify meaning of CERT_NONE, CERT_OPTIONAL, and CERT_REQUIRED flags for
+ssl.SSLContext.verify_mode.
author	Christian Heimes <christian@python.org>	2018-06-11 22:59:45 (GMT)
committer	Ned Deily <nad@python.org>	2018-06-11 22:59:45 (GMT)
commit	ef24b6c54d40e7820456873a6eab6ef57d2bd0db (patch)
tree	453f2603e01d16c2be2e5b280e0fc70c6061bbb5 /Misc/NEWS.d
parent	4b704f29f5a0b6f6d7bd67468ed004bd3a96855d (diff)
download	cpython-ef24b6c54d40e7820456873a6eab6ef57d2bd0db.zip cpython-ef24b6c54d40e7820456873a6eab6ef57d2bd0db.tar.gz cpython-ef24b6c54d40e7820456873a6eab6ef57d2bd0db.tar.bz2