PEP476: Updates based on feedback from Guido.

Fixed several typos, clean up language, and included an example of opting out
This commit is contained in:
Alex Gaynor 2014-09-19 15:33:00 -07:00
parent 53dc5c2c30
commit ad1de7d800
1 changed files with 25 additions and 13 deletions

View File

@ -11,13 +11,13 @@ Created: 28-August-2014
Abstract
========
Currently when a standard library http client (the ``urllib`` and ``http``
modules) encounters an ``https://`` URL it will wrap the network HTTP traffic
in a TLS stream, as is necessary to communicate with such a server. However,
during the TLS handshake it will not actually check that the server has an X509
certificate is signed by a CA in any trust root, nor will it verify that the
Common Name (or Subject Alternate Name) on the presented certificate matches
the requested host.
Currently when a standard library http client (the ``urllib``, ``urllib2``,
``http``, and ``httplib`` modules) encounters an ``https://`` URL it will wrap
the network HTTP traffic in a TLS stream, as is necessary to communicate with
such a server. However, during the TLS handshake it will not actually check
that the server has an X509 certificate is signed by a CA in any trust root,
nor will it verify that the Common Name (or Subject Alternate Name) on the
presented certificate matches the requested host.
The failure to do these checks means that anyone with a privileged network
position is able to trivially execute a man in the middle attack against a
@ -68,10 +68,11 @@ Python would use the system provided certificate database on all platforms.
Failure to locate such a database would be an error, and users would need to
explicitly specify a location to fix it.
This will be acheived by adding a new ``ssl._create_default_https_context``
function, which is the same as ``ssl.create_default``. ``http.client`` can then
replace it's usage of ``ssl._create_stdlib_context`` with the new
``ssl._create_default_https_context``.
This will be achieved by adding a new ``ssl._create_default_https_context``
function, which is the same as ``ssl.create_default_context``.
``http.client`` can then replace its usage of ``ssl._create_stdlib_context``
with the ``ssl._create_default_https_context``.
Additionally ``ssl._create_stdlib_context`` is renamed
``ssl._create_unverified_context`` (an alias is kept around for backwards
@ -116,6 +117,18 @@ certificates to system trust stores in order to trust them globally.
Twisted's 14.0 release made this same change, and it has been met with almost
no opposition.
Opting out
----------
For users who wish to opt out of certificate verification, they can achieve
this by providing the ``context`` argument to ``urllib.urlopen``:
import ssl
# This restores the same behavior as before.
context = ssl._create_unverified_context()
urllib.urlopen("https://no-valid-cert", context=context)
Other protocols
===============
@ -137,8 +150,7 @@ Python Versions
This PEP describes changes that will occur on both the 3.4.x, 3.5 and 2.7.X
branches. For 2.7.X this will require backporting the ``context``
(``SSLContext``) argument to ``httplib``, in addition to the features already
backported in
:pep:`466`.
backported in :pep:`466`.
Implementation
==============