Commit 894d0f7d authored by Christian Heimes's avatar Christian Heimes Committed by Stéphane Wirtel

bpo-32008: Prefer client or TLSv1_2 in examples (GH-5797)

Prefer client or TLSv1_2 in examples
Signed-off-by: default avatarChristian Heimes <christian@python.org>
parent f545638b
...@@ -1882,13 +1882,15 @@ to speed up repeated connections from the same clients. ...@@ -1882,13 +1882,15 @@ to speed up repeated connections from the same clients.
:meth:`~SSLContext.wrap_socket` in order to match the hostname. Enabling :meth:`~SSLContext.wrap_socket` in order to match the hostname. Enabling
hostname checking automatically sets :attr:`~SSLContext.verify_mode` from hostname checking automatically sets :attr:`~SSLContext.verify_mode` from
:data:`CERT_NONE` to :data:`CERT_REQUIRED`. It cannot be set back to :data:`CERT_NONE` to :data:`CERT_REQUIRED`. It cannot be set back to
:data:`CERT_NONE` as long as hostname checking is enabled. :data:`CERT_NONE` as long as hostname checking is enabled. The
:data:`PROTOCOL_TLS_CLIENT` protocol enables hostname checking by default.
With other protocols, hostname checking must be enabled explicitly.
Example:: Example::
import socket, ssl import socket, ssl
context = ssl.SSLContext() context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
context.verify_mode = ssl.CERT_REQUIRED context.verify_mode = ssl.CERT_REQUIRED
context.check_hostname = True context.check_hostname = True
context.load_default_certs() context.load_default_certs()
...@@ -2217,19 +2219,23 @@ If you prefer to tune security settings yourself, you might create ...@@ -2217,19 +2219,23 @@ If you prefer to tune security settings yourself, you might create
a context from scratch (but beware that you might not get the settings a context from scratch (but beware that you might not get the settings
right):: right)::
>>> context = ssl.SSLContext() >>> context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
>>> context.verify_mode = ssl.CERT_REQUIRED
>>> context.check_hostname = True
>>> context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt") >>> context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt")
(this snippet assumes your operating system places a bundle of all CA (this snippet assumes your operating system places a bundle of all CA
certificates in ``/etc/ssl/certs/ca-bundle.crt``; if not, you'll get an certificates in ``/etc/ssl/certs/ca-bundle.crt``; if not, you'll get an
error and have to adjust the location) error and have to adjust the location)
The :data:`PROTOCOL_TLS_CLIENT` protocol configures the context for cert
validation and hostname verification. :attr:`~SSLContext.verify_mode` is
set to :data:`CERT_REQUIRED` and :attr:`~SSLContext.check_hostname` is set
to ``True``. All other protocols create SSL contexts with insecure defaults.
When you use the context to connect to a server, :const:`CERT_REQUIRED` When you use the context to connect to a server, :const:`CERT_REQUIRED`
validates the server certificate: it ensures that the server certificate and :attr:`~SSLContext.check_hostname` validate the server certificate: it
was signed with one of the CA certificates, and checks the signature for ensures that the server certificate was signed with one of the CA
correctness:: certificates, checks the signature for correctness, and verifies other
properties like validity and identity of the hostname::
>>> conn = context.wrap_socket(socket.socket(socket.AF_INET), >>> conn = context.wrap_socket(socket.socket(socket.AF_INET),
... server_hostname="www.python.org") ... server_hostname="www.python.org")
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment