peps: PEP 476: improve guidance on opting out
https://hg.python.org/peps/rev/dfd96ee9d6a8 changeset: 5809:dfd96ee9d6a8 user: Nick Coghlan <ncoghlan@gmail.com> date: Thu Apr 30 10:17:44 2015 +1000 summary: PEP 476: improve guidance on opting out files: pep-0476.txt | 32 +++++++++++++++++++++++++++----- 1 files changed, 27 insertions(+), 5 deletions(-) diff --git a/pep-0476.txt b/pep-0476.txt --- a/pep-0476.txt +++ b/pep-0476.txt @@ -121,8 +121,9 @@ Opting out ---------- -For users who wish to opt out of certificate verification, they can achieve -this by providing the ``context`` argument to ``urllib.urlopen``:: +For users who wish to opt out of certificate verification on a single +connection, they can achieve this by providing the ``context`` argument to +``urllib.urlopen``:: import ssl @@ -130,12 +131,33 @@ context = ssl._create_unverified_context() urllib.urlopen("https://no-valid-cert", context=context) -It is also possible **though highly discouraged** to globally disable -verification by monkeypatching the ``ssl`` module:: +It is also possible, **though highly discouraged**, to globally disable +verification by monkeypatching the ``ssl`` module in versions of Python that +implement this PEP:: import ssl - ssl._create_default_https_context = ssl._create_unverified_context + try: + _create_unverified_https_context = ssl._create_unverified_context + except AttributeError: + # Legacy Python that doesn't verify HTTPS certificates by default + pass + else: + # Handle target environment that doesn't support HTTPS verification + ssl._create_default_https_context = _create_unverified_https_context + +This guidance is aimed primarily at system administrators that wish to adopt +newer versions of Python that implement this PEP in legacy environments that +do not yet support certificate verification on HTTPS connections. For +example, an administrator may opt out by adding the monkeypatch above to +``sitecustomize.py`` in their Standard Operating Environment for Python. +Applications and libraries SHOULD NOT be making this change process wide +(except perhaps in response to a system administrator controlled configuration +setting). + +Particularly security sensitive applications should always provide an explicit +application defined SSL context rather than relying on the default behaviour +of the underlying Python implementation. Other protocols =============== -- Repository URL: https://hg.python.org/peps
participants (1)
-
nick.coghlan