Antoine Pitrou <pit...@free.fr> added the comment: > Since SSLv2 is insecure, could you at least add a warning for that > protocol? I think there was a separate issue for removing it > altogether, but could a warning be added here?
I think it should be a separate issue (since it also applies to the legacy API). I agree it's reasonable to issue a warning. I don't think we should remove it until OpenSSL itself does, though. > The documentation should mention that verify_mode=CERT_REQUIRED is > recommended for security. I think we should recommend CERT_OPTIONAL. A server running with CERT_REQUIRED would refuse clients without a client certificate, which is probably not common practice for most servers. (CERT_OPTIONAL is SSL_VERIFY_PEER, and CERT_REQUIRED is SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT. The OpenSSL doc says there's no different between both when in client mode) > I think you need to expose SSL_CTX_set_options(). Currently the code > just sets all options, which means that the default protocol SSLv23 > will accept SSLv2 which is insecure. Most people would want to > probably do something like ctx.set_options(SSL_OP_ALL | > SSL_OP_NO_SSLv2). There is a separate issue for it (whose patch I will update to use the new context API when it is committed): http://bugs.python.org/issue4870 Do note that OpenSSL 1.0.0 disables SSLv2 by default when using SSLv23, by the way. > Otherwise I could not see issues with the code, apart from the still > #if 0'd out sections and commented out sections, which you are > planning on doing something about, right? Yes, there's a bit of cleanup work remaining. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue8550> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
