[issue24516] SSL create_default_socket purpose insufficiently documented

[Christian Heimes]

Changes by Christian Heimes :


--
resolution:  -> out of date
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24516] SSL create_default_socket purpose insufficiently documented

[Christian Heimes]

Changes by Christian Heimes :


--
components: +SSL

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24516] SSL create_default_socket purpose insufficiently documented

[Christian Heimes]

Changes by Christian Heimes :


--
versions: +Python 3.6, Python 3.7 -Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24516] SSL create_default_socket purpose insufficiently documented

[Martin Panter]

Changes by Martin Panter :


--
nosy: +vadmium

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24516] SSL create_default_socket purpose insufficiently documented

[Christian Heimes]

Christian Heimes added the comment:

Python uses serverAuth and clientAuth in the exact same meaning as EKU 
(extended key usage). In order to create X.509 cert for a web server, it should 
have EKU "SSL/TLS Web Server Authentication". On the other hand a client must 
validate the cert for a specific purpose, too. So the client creates a context 
with purpose SERVER_AUTH. This loads only trust anchors which are flagged with 
EKU "SSL/TLS Web Server Authentication".

For TLS/SSL server it is the other way around. The server side uses a context 
with CLIENT_AUTH to load only root certs that can validate client certs. Other 
purposes aren't supported because Python's ssl does neither support S/MIME nor 
code signing.

https://docs.python.org/2/library/ssl.html#ssl.SSLContext.load_default_certs 
explains the purpose flags, too.

--
nosy: +christian.heimes

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24516] SSL create_default_socket purpose insufficiently documented

[Petr Messner]

New submission from Petr Messner:

Please, is it possible to put more information about the purpose parameter to 
the documentation of ssl.create_default_context()? It's not obvious that 
SERVER_AUTH should be used for client sockets and not server sockets. It took 
me a while to discover this, while all I was getting was only "SSLEOFError: EOF 
occurred in violation of protocol" (which is also not helpful).

This is especially confusing, because OpenSSL uses serverAuth and clientAuth 
(for extendedKeyUsage configuration) in the exactly opposite meaning.

--
assignee: docs@python
components: Documentation
messages: 245852
nosy: docs@python, messa
priority: normal
severity: normal
status: open
title: SSL create_default_socket purpose insufficiently documented
type: enhancement
versions: Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com