[Python-checkins] cpython (merge 3.3 -> default): Issue #19508: direct the user to read the security considerations for the ssl

antoine.pitrou python-checkins at python.org
Sun Nov 17 15:36:14 CET 2013 

http://hg.python.org/cpython/rev/18d95780100e
changeset:   87203:18d95780100e
parent:      87201:da10196b94f4
parent:      87202:f86fdaf529ea
user:        Antoine Pitrou <solipsis at pitrou.net>
date:        Sun Nov 17 15:36:03 2013 +0100
summary:
  Issue #19508: direct the user to read the security considerations for the ssl module

files:
  Doc/library/ssl.rst |  19 ++++++++++++++-----
  1 files changed, 14 insertions(+), 5 deletions(-)


diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -30,12 +30,10 @@
    openssl version 1.0.1.
 
 .. warning::
+   Don't use this module without reading the :ref:`ssl-security`.  Doing so
+   may lead to a false sense of security, as the default settings of the
+   ssl module are not necessarily appropriate for your application.
 
-   OpenSSL's internal random number generator does not properly handle fork.
-   Applications must change the PRNG state of the parent process if they use
-   any SSL feature with :func:`os.fork`. Any successful call of
-   :func:`~ssl.RAND_add`, :func:`~ssl.RAND_bytes` or
-   :func:`~ssl.RAND_pseudo_bytes` is sufficient.
 
 This section documents the objects and functions in the ``ssl`` module; for more
 general information about TLS, SSL, and certificates, the reader is referred to
@@ -1480,6 +1478,17 @@
 If you want to check which ciphers are enabled by a given cipher list,
 use the ``openssl ciphers`` command on your system.
 
+Multi-processing
+^^^^^^^^^^^^^^^^
+
+If using this module as part of a multi-processed application (using,
+for example the :mod:`multiprocessing` or :mod:`concurrent.futures` modules),
+be aware that OpenSSL's internal random number generator does not properly
+handle forked processes.  Applications must change the PRNG state of the
+parent process if they use any SSL feature with :func:`os.fork`.  Any
+successful call of :func:`~ssl.RAND_add`, :func:`~ssl.RAND_bytes` or
+:func:`~ssl.RAND_pseudo_bytes` is sufficient.
+
 
 .. seealso::
 

-- 
Repository URL: http://hg.python.org/cpython

More information about the Python-checkins mailing list