[Python-Dev] Whats New in 3.4 is pretty much done...

R. David Murray rdmurray at bitdance.com
Thu Mar 13 23:24:12 CET 2014


On Thu, 13 Mar 2014 15:23:14 -0500, "Andrew M. Hettinger" <AHettinger at Prominic.NET> wrote:
> Antoine Pitrou <solipsis at pitrou.net> wrote on 03/13/2014 01:46:12 PM:
> > On Thu, 13 Mar 2014 14:57:41 +0100
> > Victor Stinner <victor.stinner at gmail.com> wrote:
> > > 2014-03-13 11:49 GMT+01:00 Christian Heimes <christian at python.org>:
> > > > * All stdlib modules now support server cert verification including
> > > > hostname matching and CRL.
> > > >
> > > > * http://bugs.python.org/issue16499 isolated mode is a security
> > > > improvement, too.
> > >
> > > Ok, I added these two items.
> > >
> > > Antoine wrote:
> > > > CRL? really? I don't remember us doing automatic CRL downloads.
> > >
> > > It's just the "support", nothing is automatic. I understood that you
> > > *can* load CRL and ask for CRL validation, but it must be done
> > > explicitly. There is a function to retrieve system CRLs on Windows.
> >
> > Then you should perhaps make your phrasing more explicit, because
> > people may wrongly assume that CRL checking will be done automatically
> > (IMHO).
> >
> > (especially since hostname checking, AFAIK, *is* automatic now)
> Sorry if I'm out of line on my first post to this list, but I've been using
> the ssl module in 3.4 some lately (indeed, I have an open RFE on it for
> 3.5).
> 
> While hostname checking can be done automatically, it's not the default
> (and if it will even work at all depends on the version of openssl
> installed).
> I suppose I could see it changed to read:
> 
> * All stdlib modules now support server cert verification including
> hostname matching and CRL verification (but not automatic download).
> 
> Of course, the reality is, using the ssl module requires a vary careful
> attention to detail, and probably always will. If a programmer is just
> going by the "What's New" section for security related code, I'm not sure
> there's much you can to to save them. ;p

I opened issue 20913 to request that some sort of "best practices"
documentation be added either to the SSL docs or as a separate chapter
in the library reference.

I do not feel competent to adjust the content of the security entries
in whatsnew, so I have not.  If someone wants to propose a patch or
make an edit before Larry copies the files, please feel free.

--David


More information about the Python-Dev mailing list