[Python-checkins] (no subject)

Thu Sep 12 07:20:45 EDT 2019

To: python-checkins at python.org
Subject: bpo-32008: Prefer client or TLSv1_2 in examples (GH-5797) (GH-16026)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
https://github.com/python/cpython/commit/07b4148f3932ed22f9cd8476f49bd0079d09=
3590
commit: 07b4148f3932ed22f9cd8476f49bd0079d093590
branch: 3.7
author: Miss Islington (bot) <31488909+miss-islington at users.noreply.github.co=
m>
committer: St=C3=A9phane Wirtel <stephane at wirtel.be>
date: 2019年09月12日T12:20:41+01:00
summary:
bpo-32008: Prefer client or TLSv1_2 in examples (GH-5797) (GH-16026)
Prefer client or TLSv1_2 in examples
Signed-off-by: Christian Heimes <christian at python.org>
(cherry picked from commit 894d0f7d5542ee04556ec1bee8c58506f7c916d4)
Co-authored-by: Christian Heimes <christian at python.org>
files:
M Doc/library/ssl.rst

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 1133ebf25f5b..b22136810d28 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -1873,13 +1873,15 @@ to speed up repeated connections from the same client=
s.
 :meth:`~SSLContext.wrap_socket` in order to match the hostname. Enabling
 hostname checking automatically sets :attr:`~SSLContext.verify_mode` from
 :data:`CERT_NONE` to :data:`CERT_REQUIRED`. It cannot be set back to
- :data:`CERT_NONE` as long as hostname checking is enabled.
+ :data:`CERT_NONE` as long as hostname checking is enabled. The
+ :data:`PROTOCOL_TLS_CLIENT` protocol enables hostname checking by default.
+ With other protocols, hostname checking must be enabled explicitly.
=20
 Example::
=20
 import socket, ssl
=20
- context =3D ssl.SSLContext()
+ context =3D ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
 context.verify_mode =3D ssl.CERT_REQUIRED
 context.check_hostname =3D True
 context.load_default_certs()
@@ -2181,19 +2183,23 @@ If you prefer to tune security settings yourself, you=
 might create
 a context from scratch (but beware that you might not get the settings
 right)::
=20
- >>> context =3D ssl.SSLContext()
- >>> context.verify_mode =3D ssl.CERT_REQUIRED
- >>> context.check_hostname =3D True
+ >>> context =3D ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
 >>> context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt")
=20
 (this snippet assumes your operating system places a bundle of all CA
 certificates in ``/etc/ssl/certs/ca-bundle.crt``; if not, you'll get an
 error and have to adjust the location)
=20
+The :data:`PROTOCOL_TLS_CLIENT` protocol configures the context for cert
+validation and hostname verification. :attr:`~SSLContext.verify_mode` is
+set to :data:`CERT_REQUIRED` and :attr:`~SSLContext.check_hostname` is set
+to ``True``. All other protocols create SSL contexts with insecure defaults.
+
 When you use the context to connect to a server, :const:`CERT_REQUIRED`
-validates the server certificate: it ensures that the server certificate
-was signed with one of the CA certificates, and checks the signature for
-correctness::
+and :attr:`~SSLContext.check_hostname` validate the server certificate: it
+ensures that the server certificate was signed with one of the CA
+certificates, checks the signature for correctness, and verifies other
+properties like validity and identity of the hostname::
=20
 >>> conn =3D context.wrap_socket(socket.socket(socket.AF_INET),
 ... server_hostname=3D"www.python.org")
