[Python-checkins] cpython (merge 3.3 -> default): Issue #19508: direct the user to read the security considerations for the ssl
antoine.pitrou
python-checkins at python.org
Sun Nov 17 15:36:14 CET 2013
http://hg.python.org/cpython/rev/18d95780100e
changeset: 87203:18d95780100e
parent: 87201:da10196b94f4
parent: 87202:f86fdaf529ea
user: Antoine Pitrou <solipsis at pitrou.net>
date: Sun Nov 17 15:36:03 2013 +0100
summary:
Issue #19508: direct the user to read the security considerations for the ssl module
files:
Doc/library/ssl.rst | 19 ++++++++++++++-----
1 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -30,12 +30,10 @@
openssl version 1.0.1.
.. warning::
+ Don't use this module without reading the :ref:`ssl-security`. Doing so
+ may lead to a false sense of security, as the default settings of the
+ ssl module are not necessarily appropriate for your application.
- OpenSSL's internal random number generator does not properly handle fork.
- Applications must change the PRNG state of the parent process if they use
- any SSL feature with :func:`os.fork`. Any successful call of
- :func:`~ssl.RAND_add`, :func:`~ssl.RAND_bytes` or
- :func:`~ssl.RAND_pseudo_bytes` is sufficient.
This section documents the objects and functions in the ``ssl`` module; for more
general information about TLS, SSL, and certificates, the reader is referred to
@@ -1480,6 +1478,17 @@
If you want to check which ciphers are enabled by a given cipher list,
use the ``openssl ciphers`` command on your system.
+Multi-processing
+^^^^^^^^^^^^^^^^
+
+If using this module as part of a multi-processed application (using,
+for example the :mod:`multiprocessing` or :mod:`concurrent.futures` modules),
+be aware that OpenSSL's internal random number generator does not properly
+handle forked processes. Applications must change the PRNG state of the
+parent process if they use any SSL feature with :func:`os.fork`. Any
+successful call of :func:`~ssl.RAND_add`, :func:`~ssl.RAND_bytes` or
+:func:`~ssl.RAND_pseudo_bytes` is sufficient.
+
.. seealso::
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list