[issue24516] SSL create_default_socket purpose insufficiently documented
New submission from Petr Messner: Please, is it possible to put more information about the purpose parameter to the documentation of ssl.create_default_context()? It's not obvious that SERVER_AUTH should be used for client sockets and not server sockets. It took me a while to discover this, while all I was getting was only "SSLEOFError: EOF occurred in violation of protocol" (which is also not helpful). This is especially confusing, because OpenSSL uses serverAuth and clientAuth (for extendedKeyUsage configuration) in the exactly opposite meaning. ---------- assignee: docs@python components: Documentation messages: 245852 nosy: docs@python, messa priority: normal severity: normal status: open title: SSL create_default_socket purpose insufficiently documented type: enhancement versions: Python 3.4 _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue24516> _______________________________________
Christian Heimes added the comment: Python uses serverAuth and clientAuth in the exact same meaning as EKU (extended key usage). In order to create X.509 cert for a web server, it should have EKU "SSL/TLS Web Server Authentication". On the other hand a client must validate the cert for a specific purpose, too. So the client creates a context with purpose SERVER_AUTH. This loads only trust anchors which are flagged with EKU "SSL/TLS Web Server Authentication". For TLS/SSL server it is the other way around. The server side uses a context with CLIENT_AUTH to load only root certs that can validate client certs. Other purposes aren't supported because Python's ssl does neither support S/MIME nor code signing. https://docs.python.org/2/library/ssl.html#ssl.SSLContext.load_default_certs explains the purpose flags, too. ---------- nosy: +christian.heimes _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue24516> _______________________________________
Changes by Martin Panter <vadmium+py@gmail.com>: ---------- nosy: +vadmium _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue24516> _______________________________________
Changes by Christian Heimes <lists@cheimes.de>: ---------- versions: +Python 3.6, Python 3.7 -Python 3.4 _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue24516> _______________________________________
Changes by Christian Heimes <lists@cheimes.de>: ---------- components: +SSL _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue24516> _______________________________________
Changes by Christian Heimes <lists@cheimes.de>: ---------- resolution: -> out of date stage: -> resolved status: open -> closed _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue24516> _______________________________________
participants (3)
-
Christian Heimes -
Martin Panter
-
Petr Messner