Re: [Django] #31885: Update SMTP Email Backend to use an SSLContext.

[Django]

#31885: Update SMTP Email Backend to use an SSLContext.
---+-
 Reporter:  Luis Saavedra  |Owner:  Luis Saavedra
 Type:  Bug|   Status:  closed
Component:  Core (Mail)|  Version:  dev
 Severity:  Normal |   Resolution:  fixed
 Keywords:  SSL| Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+-
Changes (by Carlton Gibson):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 > ...override the ssl_context property to use custom crt/key files.

 The `ssl_context` still uses the settings, so not sure they need to
 subclass even.
 (I still we expose too much of `smtplib` through the settings here, but
 progress there is likely Jacob's proposal from https://groups.google.com/g
 /django-developers/c/R8ebGynQjK0/m/kc-zggaxAgAJ)

 I agree the narrow ticket here was resolved in
 2848e5d0ce5cf3c31fe87525536093b21d570f69. 👍

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107018611aa7692-09ee60b5-36b6-468d-97d0-3739d1cf8963-00%40eu-central-1.amazonses.com.

Re: [Django] #31885: Update SMTP Email Backend to use an SSLContext.

[Django]

#31885: Update SMTP Email Backend to use an SSLContext.
---+-
 Reporter:  Luis Saavedra  |Owner:  Luis Saavedra
 Type:  Bug|   Status:  assigned
Component:  Core (Mail)|  Version:  dev
 Severity:  Normal |   Resolution:
 Keywords:  SSL| Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+-
Changes (by Mariusz Felisiak):

 * cc: Carlton Gibson (added)


Comment:

 `EmailBackend` uses `SSLContext` since
 2848e5d0ce5cf3c31fe87525536093b21d570f69. Users can subclass
 `EmailBackend` and override the `ssl_context` property to use custom
 cart/key files. Maybe it's enough to consider this ticket as fixed 🤔

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070186119f8dc7-934a2447-6121-4fb5-86b8-2f3b45799104-00%40eu-central-1.amazonses.com.

Re: [Django] #31885: Update SMTP Email Backend to use an SSLContext.

[Django]

#31885: Update SMTP Email Backend to use an SSLContext.
---+-
 Reporter:  Luis Saavedra  |Owner:  Luis Saavedra
 Type:  Bug|   Status:  assigned
Component:  Core (Mail)|  Version:  dev
 Severity:  Normal |   Resolution:
 Keywords:  SSL| Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+-

Comment (by Carlton Gibson):

 So
 [https://github.com/django/django/pull/13305#pullrequestreview-625047316
 conclusion on the PR] is that we should add the option to accept the
 parameters for an SSLContext on EmailBackend but **not** add them as
 settings. (The default is to use the system CA certs which is what most
 people want/need.)

 We will then recommend subclassing in the docs for more control.

 At the same time we should deprecate EMAIL_SSL_CERTFILE and
 EMAIL_SSL_KEYFILE for the same reasons.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.6cc0b7d11887b9802bbb7448286e2213%40djangoproject.com.

Re: [Django] #31885: Update SMTP Email Backend to use an SSLContext.

[Django]

#31885: Update SMTP Email Backend to use an SSLContext.
---+-
 Reporter:  Luis Saavedra  |Owner:  Luis Saavedra
 Type:  Bug|   Status:  assigned
Component:  Core (Mail)|  Version:  master
 Severity:  Normal |   Resolution:
 Keywords:  SSL| Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+-
Changes (by Carlton Gibson):

 * needs_better_patch:  0 => 1


Comment:

 PR looks good. Just needs to add deprecations for the old keyfile and
 certfile way of doing things.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.aa0f601db73a8735bc4e81ca00fd296b%40djangoproject.com.

Re: [Django] #31885: Update SMTP Email Backend to use an SSLContext.

[Django]

#31885: Update SMTP Email Backend to use an SSLContext.
---+-
 Reporter:  Luis Saavedra  |Owner:  Luis Saavedra
 Type:  Bug|   Status:  assigned
Component:  Core (Mail)|  Version:  master
 Severity:  Normal |   Resolution:
 Keywords:  SSL| Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  0
  Needs tests:  0  |  Patch needs improvement:  0
Easy pickings:  0  |UI/UX:  0
---+-
Changes (by Carlton Gibson):

 * needs_better_patch:  1 => 0
 * needs_tests:  1 => 0
 * needs_docs:  1 => 0


Comment:

 Updating flags to put back in the review queue

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.919782d7f0479611e7732663f857367c%40djangoproject.com.

Re: [Django] #31885: Update SMTP Email Backend to use an SSLContext.

[Django]

#31885: Update SMTP Email Backend to use an SSLContext.
---+-
 Reporter:  Luis Saavedra  |Owner:  Luis Saavedra
 Type:  Bug|   Status:  assigned
Component:  Core (Mail)|  Version:  master
 Severity:  Normal |   Resolution:
 Keywords:  SSL| Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  1
  Needs tests:  1  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+-

Comment (by Luis Saavedra):

 The old settings are good because set the authenticity credentials of a
 client, this pull request add the CA parameters to check the authenticity
 of the server. A man in the midle attack can pass any certificate to the
 client and the client can't check the authenticity because dont have CA
 parameters.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.3ad9bce1f159228e42ff1317bb6a66fa%40djangoproject.com.

Re: [Django] #31885: Update SMTP Email Backend to use an SSLContext. (was: add EmalBackend CA parameters #13305)

[Django]

#31885: Update SMTP Email Backend to use an SSLContext.
---+-
 Reporter:  Luis Saavedra  |Owner:  Luis Saavedra
 Type:  Bug|   Status:  assigned
Component:  Core (Mail)|  Version:  master
 Severity:  Normal |   Resolution:
 Keywords:  SSL| Triage Stage:  Accepted
Has patch:  1  |  Needs documentation:  1
  Needs tests:  1  |  Patch needs improvement:  1
Easy pickings:  0  |UI/UX:  0
---+-
Changes (by Carlton Gibson):

 * status:  new => assigned
 * needs_better_patch:  0 => 1
 * needs_tests:  0 => 1
 * owner:  nobody => Luis Saavedra
 * needs_docs:  0 => 1
 * has_patch:  0 => 1
 * stage:  Unreviewed => Accepted


Old description:

> set ssl cert and key outside a SSLContext object are deprecated and we
> need add CA parameters to make the server authentication
>
> https://github.com/django/django/pull/13305

New description:

 Setting SSL cert and key in
 [https://docs.python.org/3.8/library/smtplib.html#smtplib.SMTP.starttls
 `SMTP.starttls()`] is deprecated (since Python 3.6) in favour of passing
 an SSLContext. Update the SMTP backend to use the newer API.

 https://github.com/django/django/pull/13305

--

Comment:

 Thanks for the report. Yes, an update here sounds good.

 We'll need docs and tests for the changes. You've added new settings,
 those will need documenting too.
 Then, do we need to deprecate the old settings, as no longer appropriate?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.c8aa1dc0635d921c0440df920fcca815%40djangoproject.com.