[New-bugs-announce] [issue38036] ssl docs say that ssl.SSLContext() is secure-by-default since 3.6, but it isn't
Nathaniel Smith
report at bugs.python.org
Thu Sep 5 03:31:45 EDT 2019
New submission from Nathaniel Smith <njs at pobox.com>:
Quoting from the docs for ssl.SSLContext:
"Changed in version 3.6: The context is created with secure default values."
- https://docs.python.org/3/library/ssl.html#ssl.SSLContext
This is not true. If you call ssl.SSLContext(), you get a context with cert validation entirely disabled. And this has led to serious security bugs in practice: https://github.com/theelous3/asks/issues/134
Changing the defaults to make them actually secure would of course be nice, but is a complicated question that would need discussion. In the mean time, the docs shouldn't claim that it's secure. There should be a big bold note saying "UNLESS YOU HAVE A VERY GOOD REASON, DON'T USE THIS, USE ssl.create_default_connection()".
----------
messages: 351186
nosy: alex, christian.heimes, dstufft, janssen, njs
priority: normal
severity: normal
status: open
title: ssl docs say that ssl.SSLContext() is secure-by-default since 3.6, but it isn't
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue38036>
_______________________________________
More information about the New-bugs-announce
mailing list