[Python-Dev] Whats New in 3.4 is pretty much done...

[Andrew M. Hettinger]

Antoine Pitrou <solipsis at pitrou.net> wrote on 03/13/2014 01:46:12 PM:
> On Thu, 13 Mar 2014 14:57:41 +0100
> Victor Stinner <victor.stinner at gmail.com> wrote:
> > 2014-03-13 11:49 GMT+01:00 Christian Heimes <christian at python.org>:
> > > * All stdlib modules now support server cert verification including
> > > hostname matching and CRL.
> > >
> > > * http://bugs.python.org/issue16499 isolated mode is a security
> > > improvement, too.
> >
> > Ok, I added these two items.
> >
> > Antoine wrote:
> > > CRL? really? I don't remember us doing automatic CRL downloads.
> >
> > It's just the "support", nothing is automatic. I understood that you
> > *can* load CRL and ask for CRL validation, but it must be done
> > explicitly. There is a function to retrieve system CRLs on Windows.
>
> Then you should perhaps make your phrasing more explicit, because
> people may wrongly assume that CRL checking will be done automatically
> (IMHO).
>
> (especially since hostname checking, AFAIK, *is* automatic now)
Sorry if I'm out of line on my first post to this list, but I've been using
the ssl module in 3.4 some lately (indeed, I have an open RFE on it for
3.5).

While hostname checking can be done automatically, it's not the default
(and if it will even work at all depends on the version of openssl
installed).
I suppose I could see it changed to read:

* All stdlib modules now support server cert verification including
hostname matching and CRL verification (but not automatic download).

Of course, the reality is, using the ssl module requires a vary careful
attention to detail, and probably always will. If a programmer is just
going by the "What's New" section for security related code, I'm not sure
there's much you can to to save them. ;p

>
> Regards
>
> Antoine.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140313/fa9aa86a/attachment.html>