New submission from Nathaniel Smith <n...@pobox.com>:
Quoting from the docs for ssl.SSLContext: "Changed in version 3.6: The context is created with secure default values." - https://docs.python.org/3/library/ssl.html#ssl.SSLContext This is not true. If you call ssl.SSLContext(), you get a context with cert validation entirely disabled. And this has led to serious security bugs in practice: https://github.com/theelous3/asks/issues/134 Changing the defaults to make them actually secure would of course be nice, but is a complicated question that would need discussion. In the mean time, the docs shouldn't claim that it's secure. There should be a big bold note saying "UNLESS YOU HAVE A VERY GOOD REASON, DON'T USE THIS, USE ssl.create_default_connection()". ---------- messages: 351186 nosy: alex, christian.heimes, dstufft, janssen, njs priority: normal severity: normal status: open title: ssl docs say that ssl.SSLContext() is secure-by-default since 3.6, but it isn't _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue38036> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com