[Python-checkins] peps: PEP 476: improve guidance on opting out

nick.coghlan python-checkins at python.org
Thu Apr 30 02:17:52 CEST 2015 

https://hg.python.org/peps/rev/dfd96ee9d6a8
changeset:   5809:dfd96ee9d6a8
user:        Nick Coghlan <ncoghlan at gmail.com>
date:        Thu Apr 30 10:17:44 2015 +1000
summary:
  PEP 476: improve guidance on opting out

files:
  pep-0476.txt |  32 +++++++++++++++++++++++++++-----
  1 files changed, 27 insertions(+), 5 deletions(-)


diff --git a/pep-0476.txt b/pep-0476.txt
--- a/pep-0476.txt
+++ b/pep-0476.txt
@@ -121,8 +121,9 @@
 Opting out
 ----------
 
-For users who wish to opt out of certificate verification, they can achieve
-this by providing the ``context`` argument to ``urllib.urlopen``::
+For users who wish to opt out of certificate verification on a single
+connection, they can achieve this by providing the ``context`` argument to
+``urllib.urlopen``::
 
     import ssl
 
@@ -130,12 +131,33 @@
     context = ssl._create_unverified_context()
     urllib.urlopen("https://no-valid-cert", context=context)
 
-It is also possible **though highly discouraged** to globally disable
-verification by monkeypatching the ``ssl`` module::
+It is also possible, **though highly discouraged**, to globally disable
+verification by monkeypatching the ``ssl`` module in versions of Python that
+implement this PEP::
 
     import ssl
 
-    ssl._create_default_https_context = ssl._create_unverified_context
+    try:
+        _create_unverified_https_context = ssl._create_unverified_context
+    except AttributeError:
+        # Legacy Python that doesn't verify HTTPS certificates by default
+        pass
+    else:
+        # Handle target environment that doesn't support HTTPS verification
+        ssl._create_default_https_context = _create_unverified_https_context
+
+This guidance is aimed primarily at system administrators that wish to adopt
+newer versions of Python that implement this PEP in legacy environments that
+do not yet support certificate verification on HTTPS connections. For
+example, an administrator may opt out by adding the monkeypatch above to
+``sitecustomize.py`` in their Standard Operating Environment for Python.
+Applications and libraries SHOULD NOT be making this change process wide
+(except perhaps in response to a system administrator controlled configuration
+setting).
+
+Particularly security sensitive applications should always provide an explicit
+application defined SSL context rather than relying on the default behaviour
+of the underlying Python implementation.
 
 Other protocols
 ===============

-- 
Repository URL: https://hg.python.org/peps

More information about the Python-checkins mailing list