On Thu, 13 Mar 2014 15:23:14 -0500, "Andrew M. Hettinger" <ahettin...@prominic.net> wrote: > Antoine Pitrou <solip...@pitrou.net> wrote on 03/13/2014 01:46:12 PM: > > On Thu, 13 Mar 2014 14:57:41 +0100 > > Victor Stinner <victor.stin...@gmail.com> wrote: > > > 2014-03-13 11:49 GMT+01:00 Christian Heimes <christ...@python.org>: > > > > * All stdlib modules now support server cert verification including > > > > hostname matching and CRL. > > > > > > > > * http://bugs.python.org/issue16499 isolated mode is a security > > > > improvement, too. > > > > > > Ok, I added these two items. > > > > > > Antoine wrote: > > > > CRL? really? I don't remember us doing automatic CRL downloads. > > > > > > It's just the "support", nothing is automatic. I understood that you > > > *can* load CRL and ask for CRL validation, but it must be done > > > explicitly. There is a function to retrieve system CRLs on Windows. > > > > Then you should perhaps make your phrasing more explicit, because > > people may wrongly assume that CRL checking will be done automatically > > (IMHO). > > > > (especially since hostname checking, AFAIK, *is* automatic now) > Sorry if I'm out of line on my first post to this list, but I've been using > the ssl module in 3.4 some lately (indeed, I have an open RFE on it for > 3.5). > > While hostname checking can be done automatically, it's not the default > (and if it will even work at all depends on the version of openssl > installed). > I suppose I could see it changed to read: > > * All stdlib modules now support server cert verification including > hostname matching and CRL verification (but not automatic download). > > Of course, the reality is, using the ssl module requires a vary careful > attention to detail, and probably always will. If a programmer is just > going by the "What's New" section for security related code, I'm not sure > there's much you can to to save them. ;p
I opened issue 20913 to request that some sort of "best practices" documentation be added either to the SSL docs or as a separate chapter in the library reference. I do not feel competent to adjust the content of the security entries in whatsnew, so I have not. If someone wants to propose a patch or make an edit before Larry copies the files, please feel free. --David _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
