[Python-checkins] peps: PEP476: Updates based on feedback from Guido.
alex.gaynor
python-checkins at python.org
Sat Sep 20 00:33:19 CEST 2014
https://hg.python.org/peps/rev/f44d393ad12f
changeset: 5555:f44d393ad12f
user: Alex Gaynor <alex.gaynor at gmail.com>
date: Fri Sep 19 15:33:00 2014 -0700
summary:
PEP476: Updates based on feedback from Guido.
Fixed several typos, clean up language, and included an example of opting out
files:
pep-0476.txt | 38 +++++++++++++++++++++++++-------------
1 files changed, 25 insertions(+), 13 deletions(-)
diff --git a/pep-0476.txt b/pep-0476.txt
--- a/pep-0476.txt
+++ b/pep-0476.txt
@@ -11,13 +11,13 @@
Abstract
========
-Currently when a standard library http client (the ``urllib`` and ``http``
-modules) encounters an ``https://`` URL it will wrap the network HTTP traffic
-in a TLS stream, as is necessary to communicate with such a server. However,
-during the TLS handshake it will not actually check that the server has an X509
-certificate is signed by a CA in any trust root, nor will it verify that the
-Common Name (or Subject Alternate Name) on the presented certificate matches
-the requested host.
+Currently when a standard library http client (the ``urllib``, ``urllib2``,
+``http``, and ``httplib`` modules) encounters an ``https://`` URL it will wrap
+the network HTTP traffic in a TLS stream, as is necessary to communicate with
+such a server. However, during the TLS handshake it will not actually check
+that the server has an X509 certificate is signed by a CA in any trust root,
+nor will it verify that the Common Name (or Subject Alternate Name) on the
+presented certificate matches the requested host.
The failure to do these checks means that anyone with a privileged network
position is able to trivially execute a man in the middle attack against a
@@ -68,10 +68,11 @@
Failure to locate such a database would be an error, and users would need to
explicitly specify a location to fix it.
-This will be acheived by adding a new ``ssl._create_default_https_context``
-function, which is the same as ``ssl.create_default``. ``http.client`` can then
-replace it's usage of ``ssl._create_stdlib_context`` with the new
-``ssl._create_default_https_context``.
+This will be achieved by adding a new ``ssl._create_default_https_context``
+function, which is the same as ``ssl.create_default_context``.
+
+``http.client`` can then replace its usage of ``ssl._create_stdlib_context``
+with the ``ssl._create_default_https_context``.
Additionally ``ssl._create_stdlib_context`` is renamed
``ssl._create_unverified_context`` (an alias is kept around for backwards
@@ -116,6 +117,18 @@
Twisted's 14.0 release made this same change, and it has been met with almost
no opposition.
+Opting out
+----------
+
+For users who wish to opt out of certificate verification, they can achieve
+this by providing the ``context`` argument to ``urllib.urlopen``:
+
+ import ssl
+
+ # This restores the same behavior as before.
+ context = ssl._create_unverified_context()
+ urllib.urlopen("https://no-valid-cert", context=context)
+
Other protocols
===============
@@ -137,8 +150,7 @@
This PEP describes changes that will occur on both the 3.4.x, 3.5 and 2.7.X
branches. For 2.7.X this will require backporting the ``context``
(``SSLContext``) argument to ``httplib``, in addition to the features already
-backported in
-:pep:`466`.
+backported in :pep:`466`.
Implementation
==============
--
Repository URL: https://hg.python.org/peps
More information about the Python-checkins
mailing list