[issue40127] Documentation of SSL library
New submission from Christophe Nanteuil <christophe.nanteuil@gmail.com>: For the ssl.create_default_context() function, it states that, "if cafile, capath and cadata are None, the function *can* choose to trust the system's default CA certificates instead". This statement is not clear as, if the values are None, there is no choice and the only elements available are system's default CA. AFAIK, if the values are not None, it will not fall back to system's default CA even if the given CA does not match. I propose to modify the end of the sentence with "the function trusts the system's default CA certificates instead". ---------- assignee: docs@python components: Documentation messages: 365398 nosy: Christophe Nanteuil, docs@python priority: normal severity: normal status: open title: Documentation of SSL library versions: Python 2.7, Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 3.9 _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue40127> _______________________________________
Change by Christophe Nanteuil <christophe.nanteuil@gmail.com>: ---------- type: -> enhancement _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue40127> _______________________________________
Change by Christophe Nanteuil <christophe.nanteuil@gmail.com>: ---------- keywords: +patch pull_requests: +18611 stage: -> patch review pull_request: https://github.com/python/cpython/pull/19253 _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue40127> _______________________________________
Christian Heimes <lists@cheimes.de> added the comment: There are choices beyond our control. For example the operating system may not have a usable trust store. OpenSSL's builtin paths may not be correctly configured to locate the trust store. The user may have configured her/his environment to load other or no CA certs. ---------- nosy: +christian.heimes _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue40127> _______________________________________
Christophe Nanteuil <christophe.nanteuil@gmail.com> added the comment: Thanks for clarifying the choice. I understand that we could state : " if cafile ... are None, the function falls back to user/system configuration (which is beyond this documentation)." ---------- _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue40127> _______________________________________
Christophe Nanteuil <christophe.nanteuil@gmail.com> added the comment: I modified the PR according to the source code: "if all three are None and SSLContext.verify_mode is not set to CERT_NONE, this function uses the system's default CA certificates." The way the system is configured may depend on multiple parameters but I hope this statement is clearer and it disturbs me to read that the function "can choose", all the more for a security module. ---------- _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue40127> _______________________________________
Change by Terry J. Reedy <tjreedy@udel.edu>: ---------- versions: -Python 2.7, Python 3.5, Python 3.6 _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue40127> _______________________________________
participants (3)
-
Christian Heimes -
Christophe Nanteuil
-
Terry J. Reedy