[New-bugs-announce] [issue38036] ssl docs say that ssl.SSLContext() is secure-by-default since 3.6, but it isn't
report at bugs.python.org
Thu Sep 5 03:31:45 EDT 2019
New submission from Nathaniel Smith <njs at pobox.com>:
Quoting from the docs for ssl.SSLContext:
"Changed in version 3.6: The context is created with secure default values."
This is not true. If you call ssl.SSLContext(), you get a context with cert validation entirely disabled. And this has led to serious security bugs in practice: https://github.com/theelous3/asks/issues/134
Changing the defaults to make them actually secure would of course be nice, but is a complicated question that would need discussion. In the mean time, the docs shouldn't claim that it's secure. There should be a big bold note saying "UNLESS YOU HAVE A VERY GOOD REASON, DON'T USE THIS, USE ssl.create_default_connection()".
nosy: alex, christian.heimes, dstufft, janssen, njs
title: ssl docs say that ssl.SSLContext() is secure-by-default since 3.6, but it isn't
Python tracker <report at bugs.python.org>
More information about the New-bugs-announce