Christian Heimes added the comment: http://docs.python.org/3.4/library/ssl.html#ssl-security doesn't mention http://docs.python.org/3.4/library/ssl.html#ssl.create_default_context and http://docs.python.org/3.4/library/ssl.html#ssl.SSLContext.check_hostname . I planed to write a paragraph about context but my personal life got into my way (new job, relocation, new apartment).
Can somebody please write a few sentences that explain that: * no stdlib module verifies SSL cert chain and hostname (except for asyncio) * developers must pass a correctly configured context to stdlib modules to get validation and hostname matching * ssl.create_default_context() returns a context with sensible default settings *and* pre-loaded root CA certs on most systems. Example: >>> import ssl, smtplib >>> smtp = smtplib.SMTP("mail.python.org", port=587) >>> context = ssl.create_default_context() >>> smtp.starttls(context=context) (220, b'2.0.0 Ready to start TLS') Example with missing root CA: >>> smtp = smtplib.SMTP("mail.python.org", port=587) >>> context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) >>> context.verify_mode = ssl.CERT_REQUIRED >>> smtp.starttls(context=context) Traceback (most recent call last): ... ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598) ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue20913> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com