Heikki Toivonen <hjtoi-bugzi...@comcast.net> added the comment:

Since SSLv2 is insecure, could you at least add a warning for that protocol? I 
think there was a separate issue for removing it altogether, but could a 
warning be added here?

The documentation should mention that verify_mode=CERT_REQUIRED is recommended 
for security.

There should probably be an example of using SSL context in the documentation.

I think you need to expose SSL_CTX_set_options(). Currently the code just sets 
all options, which means that the default protocol SSLv23 will accept SSLv2 
which is insecure. Most people would want to probably do something like 
ctx.set_options(SSL_OP_ALL | SSL_OP_NO_SSLv2). Documentation should also 
mention that this is recommended for security. See man SSL_CTX_set_options.

Otherwise I could not see issues with the code, apart from the still #if 0'd 
out sections and commented out sections, which you are planning on doing 
something about, right?

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue8550>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to