[issue8550] Expose SSL contexts
Heikki Toivonen
report at bugs.python.org
Sun May 16 06:42:26 CEST 2010
Heikki Toivonen <hjtoi-bugzilla at comcast.net> added the comment:
Since SSLv2 is insecure, could you at least add a warning for that protocol? I think there was a separate issue for removing it altogether, but could a warning be added here?
The documentation should mention that verify_mode=CERT_REQUIRED is recommended for security.
There should probably be an example of using SSL context in the documentation.
I think you need to expose SSL_CTX_set_options(). Currently the code just sets all options, which means that the default protocol SSLv23 will accept SSLv2 which is insecure. Most people would want to probably do something like ctx.set_options(SSL_OP_ALL | SSL_OP_NO_SSLv2). Documentation should also mention that this is recommended for security. See man SSL_CTX_set_options.
Otherwise I could not see issues with the code, apart from the still #if 0'd out sections and commented out sections, which you are planning on doing something about, right?
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue8550>
_______________________________________
More information about the Python-bugs-list
mailing list