[issue19508] Add warning that Python doesn't verify SSL certs by default

Changes by Antoine Pitrou : -- status: open -> closed ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://m

[issue19508] Add warning that Python doesn't verify SSL certs by default

Antoine Pitrou added the comment: I've added a different warning to 2.7, as the ssl docs there don't have the "security considerations" section. -- resolution: -> fixed stage: needs patch -> committed/rejected versions: -Python 2.7, Python 3.2 ___

[issue19508] Add warning that Python doesn't verify SSL certs by default

Roundup Robot added the comment: New changeset a197b3c3b2c9 by Antoine Pitrou in branch '2.7': Issue #19508: warn that ssl doesn't validate certificates by default http://hg.python.org/cpython/rev/a197b3c3b2c9 -- ___ Python tracker

[issue19508] Add warning that Python doesn't verify SSL certs by default

Roundup Robot added the comment: New changeset f86fdaf529ea by Antoine Pitrou in branch '3.3': Issue #19508: direct the user to read the security considerations for the ssl module http://hg.python.org/cpython/rev/f86fdaf529ea New changeset 18d95780100e by Antoine Pitrou in branch 'default': Iss

[issue19508] Add warning that Python doesn't verify SSL certs by default

Georg Brandl added the comment: Sounds good. -- nosy: +georg.brandl ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscri

[issue19508] Add warning that Python doesn't verify SSL certs by default

Antoine Pitrou added the comment: Something like the following? -- keywords: +patch Added file: http://bugs.python.org/file32668/sslsec.patch ___ Python tracker ___ _

[issue19508] Add warning that Python doesn't verify SSL certs by default

Christian Heimes added the comment: I suggest that we add a red warning box at the top of the SSL module, too. -- ___ Python tracker ___ _

[issue19508] Add warning that Python doesn't verify SSL certs by default

STINNER Victor added the comment: > There is already an entire section about this: > http://docs.python.org/dev/library/ssl.html#security-considerations So we just need to add a link from http, ftp, imap, ... to this section? Using only http://docs.python.org/dev/library/ftplib.html#ftp-tls-obj

[issue19508] Add warning that Python doesn't verify SSL certs by default

Antoine Pitrou added the comment: There is already an entire section about this: http://docs.python.org/dev/library/ssl.html#security-considerations It's up to consumers of the API to choose their security policy, the ssl module merely provides building blocks to implement it. I think the ssl d

[issue19508] Add warning that Python doesn't verify SSL certs by default

New submission from Christian Heimes: Developers are still surprised that Python's ssl library doesn't validate SSL certs by default. We should add a *big* warning to the SSL module as well as to all consumers (http, ftp, imap, pop, smtp, nntp ...) that neither the CA cert chain nor the hostna