Skip to content

Commit 25960d0

Browse files
tirantiran
committed
bpo-32008: Prefer client or TLSv1_2 in examples
Signed-off-by: Christian Heimes <christian@python.org>
1 parent ba51880 commit 25960d0

File tree

1 file changed

+11
-8
lines changed

1 file changed

+11
-8
lines changed

Doc/library/ssl.rst

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1701,13 +1701,15 @@ to speed up repeated connections from the same clients.
17011701
:meth:`~SSLContext.wrap_socket` in order to match the hostname. Enabling
17021702
hostname checking automatically sets :attr:`~SSLContext.verify_mode` from
17031703
:data:`CERT_NONE` to :data:`CERT_REQUIRED`. It cannot be set back to
1704-
:data:`CERT_NONE` as long as hostname checking is enabled.
1704+
:data:`CERT_NONE` as long as hostname checking is enabled. The
1705+
:data:`PROTOCOL_TLS_CLIENT` protocol enables hostname checking by default.
1706+
With other protocols, hostname checking must be enabled explicitly.
17051707

17061708
Example::
17071709

17081710
import socket, ssl
17091711

1710-
context = ssl.SSLContext()
1712+
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
17111713
context.verify_mode = ssl.CERT_REQUIRED
17121714
context.check_hostname = True
17131715
context.load_default_certs()
@@ -1952,19 +1954,20 @@ If you prefer to tune security settings yourself, you might create
19521954
a context from scratch (but beware that you might not get the settings
19531955
right)::
19541956

1955-
>>> context = ssl.SSLContext()
1956-
>>> context.verify_mode = ssl.CERT_REQUIRED
1957-
>>> context.check_hostname = True
1957+
>>> context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
19581958
>>> context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt")
19591959

19601960
(this snippet assumes your operating system places a bundle of all CA
19611961
certificates in ``/etc/ssl/certs/ca-bundle.crt``; if not, you'll get an
19621962
error and have to adjust the location)
19631963

19641964
When you use the context to connect to a server, :const:`CERT_REQUIRED`
1965-
validates the server certificate: it ensures that the server certificate
1966-
was signed with one of the CA certificates, and checks the signature for
1967-
correctness::
1965+
validates the server certificate and :meth:`~SSLContext.check_hostname`
1966+
matches the hostname. Both setting ensure that the server certificate
1967+
was signed with one of the CA certificates and is a valid certificate
1968+
for the given server name. The :data:`PROTOCOL_TLS_CLIENT` protocol
1969+
configures the context for cert and hostname verification. All
1970+
remaining protocols are insecure by default::
19681971

19691972
>>> conn = context.wrap_socket(socket.socket(socket.AF_INET),
19701973
... server_hostname="www.python.org")

0 commit comments

Comments
 (0)