Antoine Pitrou <solipsis@pitrou.net> wrote on 03/13/2014 01:46:12 PM:
> On Thu, 13 Mar 2014 14:57:41 +0100
> Victor Stinner <victor.stinner@gmail.com> wrote:
> > 2014-03-13 11:49 GMT+01:00 Christian Heimes <christian@python.org>:
> > > * All stdlib modules now support server cert verification including
> > > hostname matching and CRL.
> > >
> > > * http://bugs.python.org/issue16499 isolated mode is a security
> > > improvement, too.
> >
> > Ok, I added these two items.
> >
> > Antoine wrote:
> > > CRL? really? I don't remember us doing automatic CRL downloads.
> >
> > It's just the "support", nothing is automatic. I understood that you
> > *can* load CRL and ask for CRL validation, but it must be done
> > explicitly. There is a function to retrieve system CRLs on Windows.
>
> Then you should perhaps make your phrasing more explicit, because
> people may wrongly assume that CRL checking will be done automatically
> (IMHO).
>
> (especially since hostname checking, AFAIK, *is* automatic now)
Sorry if I'm out of line on my first post to this list, but I've been using the ssl module in 3.4 some lately (indeed, I have an open RFE on it for 3.5).

While hostname checking can be done automatically, it's not the default (and if it will even work at all depends on the version of openssl installed).
I suppose I could see it changed to read:

* All stdlib modules now support server cert verification including hostname matching and CRL verification (but not automatic download).

Of course, the reality is, using the ssl module requires a vary careful attention to detail, and probably always will. If a programmer is just going by the "What's New" section for security related code, I'm not sure there's much you can to to save them. ;p

>
> Regards
>
> Antoine.
>