Repository: libcloud Updated Branches: refs/heads/trunk 6a1b6a3fb -> 4bb534c06
Also documment unsafe ssl.PROTOCOL_SSLv23 option and the reasons why people should not use it. Project: http://git-wip-us.apache.org/repos/asf/libcloud/repo Commit: http://git-wip-us.apache.org/repos/asf/libcloud/commit/4bb534c0 Tree: http://git-wip-us.apache.org/repos/asf/libcloud/tree/4bb534c0 Diff: http://git-wip-us.apache.org/repos/asf/libcloud/diff/4bb534c0 Branch: refs/heads/trunk Commit: 4bb534c063b222f94fe56c22e54345826280cbae Parents: 6a1b6a3 Author: Tomaz Muraus <[email protected]> Authored: Thu Jan 14 13:57:33 2016 +0100 Committer: Tomaz Muraus <[email protected]> Committed: Thu Jan 14 13:57:33 2016 +0100 ---------------------------------------------------------------------- docs/other/ssl-certificate-validation.rst | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/libcloud/blob/4bb534c0/docs/other/ssl-certificate-validation.rst ---------------------------------------------------------------------- diff --git a/docs/other/ssl-certificate-validation.rst b/docs/other/ssl-certificate-validation.rst index c7e9d80..7a032fc 100644 --- a/docs/other/ssl-certificate-validation.rst +++ b/docs/other/ssl-certificate-validation.rst @@ -105,8 +105,8 @@ Changing used SSL / TLS version If you are using Linode driver you need to update your code to use TLS v1.1 or TLS v1.2 as shown below. -For compatibility reasons (we also support older Python versions), Libcloud -uses TLS v1.0 by default. +For compatibility and safety reasons (we also support older Python versions), +Libcloud uses TLS v1.0 by default. If the provier doesn't support this version or if you want to use a different version because of security reasons (you should always use the highest version @@ -127,3 +127,13 @@ use a different version as shown below. Keep in mind that TLS v1.1 and v1.2 is right now only supported in Python >= 3.4 and Python 2.7.9. In addition to that, your system also needs to have a recent version of OpenSSL available. + +Another (**unsafe** and **unrecommended**) option is to use +``ssl.PROTOCOL_SSLv23`` constant which will let client know to pick the highest +protocol version which both the client and server support. If this constant is +selected, the client will be selecting between SSL v3.0, TLS v1.0, TLS v1.1 and +TLS v1.2. + +Keep in mind that SSL v3.0 is considered broken and unsafe and using this +option can result in a downgrade attack so we strongly recommend **NOT** to use +it.
