On Sat, 30 Nov 2013 19:29:37 +0100 Christian Heimes <christ...@python.org> wrote: > This fix requires only a new SSLContext attribute and a small > modification to SSLSocket.do_handshake(): > > if self.context.check_hostname: > try: > match_hostname(self.getpeercert(), self.server_hostname) > except Exception: > self.shutdown(_SHUT_RDWR) > self.close() > raise
Small nit: what happens if the server_hostname is None (i.e. wasn't passed to context.wrap_socket())? > The default settings for all stdlib modules will still be verify_mode = > CERT_NONE and check_hostname = False for maximum backward compatibility. > Python 3.4 comes with a new function ssl.create_default_context() that > returns a new context with best practice settings and loaded root CA > certs. The settings are TLS 1.0, no weak and insecure ciphers (no MD5, > no RC4), no compression (CRIME attack), CERT_REQUIRED and check_hostname > = True (for client side only). Sounds fine to me, thanks. Regards Antoine. _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
