[Python-checkins] peps: PEP476: Updates based on feedback from Guido.

alex.gaynor python-checkins at python.org
Sat Sep 20 00:33:19 CEST 2014 

https://hg.python.org/peps/rev/f44d393ad12f
changeset:   5555:f44d393ad12f
user:        Alex Gaynor <alex.gaynor at gmail.com>
date:        Fri Sep 19 15:33:00 2014 -0700
summary:
  PEP476: Updates based on feedback from Guido.

Fixed several typos, clean up language, and included an example of opting out

files:
  pep-0476.txt |  38 +++++++++++++++++++++++++-------------
  1 files changed, 25 insertions(+), 13 deletions(-)


diff --git a/pep-0476.txt b/pep-0476.txt
--- a/pep-0476.txt
+++ b/pep-0476.txt
@@ -11,13 +11,13 @@
 Abstract
 ========
 
-Currently when a standard library http client (the ``urllib`` and ``http``
-modules) encounters an ``https://`` URL it will wrap the network HTTP traffic
-in a TLS stream, as is necessary to communicate with such a server. However,
-during the TLS handshake it will not actually check that the server has an X509
-certificate is signed by a CA in any trust root, nor will it verify that the
-Common Name (or Subject Alternate Name) on the presented certificate matches
-the requested host.
+Currently when a standard library http client (the ``urllib``, ``urllib2``,
+``http``, and ``httplib`` modules) encounters an ``https://`` URL it will wrap
+the network HTTP traffic in a TLS stream, as is necessary to communicate with
+such a server. However, during the TLS handshake it will not actually check
+that the server has an X509 certificate is signed by a CA in any trust root,
+nor will it verify that the Common Name (or Subject Alternate Name) on the
+presented certificate matches the requested host.
 
 The failure to do these checks means that anyone with a privileged network
 position is able to trivially execute a man in the middle attack against a
@@ -68,10 +68,11 @@
 Failure to locate such a database would be an error, and users would need to
 explicitly specify a location to fix it.
 
-This will be acheived by adding a new ``ssl._create_default_https_context``
-function, which is the same as ``ssl.create_default``. ``http.client`` can then
-replace it's usage of ``ssl._create_stdlib_context`` with the new
-``ssl._create_default_https_context``.
+This will be achieved by adding a new ``ssl._create_default_https_context``
+function, which is the same as ``ssl.create_default_context``.
+
+``http.client`` can then replace its usage of ``ssl._create_stdlib_context``
+with the ``ssl._create_default_https_context``.
 
 Additionally ``ssl._create_stdlib_context`` is renamed
 ``ssl._create_unverified_context`` (an alias is kept around for backwards
@@ -116,6 +117,18 @@
 Twisted's 14.0 release made this same change, and it has been met with almost
 no opposition.
 
+Opting out
+----------
+
+For users who wish to opt out of certificate verification, they can achieve
+this by providing the ``context`` argument to ``urllib.urlopen``:
+
+    import ssl
+
+    # This restores the same behavior as before.
+    context = ssl._create_unverified_context()
+    urllib.urlopen("https://no-valid-cert", context=context)
+
 Other protocols
 ===============
 
@@ -137,8 +150,7 @@
 This PEP describes changes that will occur on both the 3.4.x, 3.5 and 2.7.X
 branches. For 2.7.X this will require backporting the ``context``
 (``SSLContext``) argument to ``httplib``, in addition to the features already
-backported in
-:pep:`466`.
+backported in :pep:`466`.
 
 Implementation
 ==============

-- 
Repository URL: https://hg.python.org/peps

More information about the Python-checkins mailing list