[Python-Dev] Whats New in 3.4 is pretty much done... (original) (raw)
R. David Murray rdmurray at bitdance.com
Thu Mar 13 23:24:12 CET 2014
- Previous message: [Python-Dev] Whats New in 3.4 is pretty much done...
- Next message: [Python-Dev] Whats New in 3.4 is pretty much done...
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, 13 Mar 2014 15:23:14 -0500, "Andrew M. Hettinger" <AHettinger at Prominic.NET> wrote:
Antoine Pitrou <solipsis at pitrou.net> wrote on 03/13/2014 01:46:12 PM: > On Thu, 13 Mar 2014 14:57:41 +0100 > Victor Stinner <victor.stinner at gmail.com> wrote: > > 2014-03-13 11:49 GMT+01:00 Christian Heimes <christian at python.org>: > > > * All stdlib modules now support server cert verification including > > > hostname matching and CRL. > > > > > > * http://bugs.python.org/issue16499 isolated mode is a security > > > improvement, too. > > > > Ok, I added these two items. > > > > Antoine wrote: > > > CRL? really? I don't remember us doing automatic CRL downloads. > > > > It's just the "support", nothing is automatic. I understood that you > > can load CRL and ask for CRL validation, but it must be done > > explicitly. There is a function to retrieve system CRLs on Windows. > > Then you should perhaps make your phrasing more explicit, because > people may wrongly assume that CRL checking will be done automatically > (IMHO). > > (especially since hostname checking, AFAIK, is automatic now) Sorry if I'm out of line on my first post to this list, but I've been using the ssl module in 3.4 some lately (indeed, I have an open RFE on it for 3.5).
While hostname checking can be done automatically, it's not the default (and if it will even work at all depends on the version of openssl installed). I suppose I could see it changed to read: * All stdlib modules now support server cert verification including hostname matching and CRL verification (but not automatic download). Of course, the reality is, using the ssl module requires a vary careful attention to detail, and probably always will. If a programmer is just going by the "What's New" section for security related code, I'm not sure there's much you can to to save them. ;p
I opened issue 20913 to request that some sort of "best practices" documentation be added either to the SSL docs or as a separate chapter in the library reference.
I do not feel competent to adjust the content of the security entries in whatsnew, so I have not. If someone wants to propose a patch or make an edit before Larry copies the files, please feel free.
--David
- Previous message: [Python-Dev] Whats New in 3.4 is pretty much done...
- Next message: [Python-Dev] Whats New in 3.4 is pretty much done...
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]