PEP 476: improve guidance on opting out
This commit is contained in:
parent
029a4f3cb4
commit
ef2437d422
32
pep-0476.txt
32
pep-0476.txt
|
@ -121,8 +121,9 @@ no opposition.
|
||||||
Opting out
|
Opting out
|
||||||
----------
|
----------
|
||||||
|
|
||||||
For users who wish to opt out of certificate verification, they can achieve
|
For users who wish to opt out of certificate verification on a single
|
||||||
this by providing the ``context`` argument to ``urllib.urlopen``::
|
connection, they can achieve this by providing the ``context`` argument to
|
||||||
|
``urllib.urlopen``::
|
||||||
|
|
||||||
import ssl
|
import ssl
|
||||||
|
|
||||||
|
@ -130,12 +131,33 @@ this by providing the ``context`` argument to ``urllib.urlopen``::
|
||||||
context = ssl._create_unverified_context()
|
context = ssl._create_unverified_context()
|
||||||
urllib.urlopen("https://no-valid-cert", context=context)
|
urllib.urlopen("https://no-valid-cert", context=context)
|
||||||
|
|
||||||
It is also possible **though highly discouraged** to globally disable
|
It is also possible, **though highly discouraged**, to globally disable
|
||||||
verification by monkeypatching the ``ssl`` module::
|
verification by monkeypatching the ``ssl`` module in versions of Python that
|
||||||
|
implement this PEP::
|
||||||
|
|
||||||
import ssl
|
import ssl
|
||||||
|
|
||||||
ssl._create_default_https_context = ssl._create_unverified_context
|
try:
|
||||||
|
_create_unverified_https_context = ssl._create_unverified_context
|
||||||
|
except AttributeError:
|
||||||
|
# Legacy Python that doesn't verify HTTPS certificates by default
|
||||||
|
pass
|
||||||
|
else:
|
||||||
|
# Handle target environment that doesn't support HTTPS verification
|
||||||
|
ssl._create_default_https_context = _create_unverified_https_context
|
||||||
|
|
||||||
|
This guidance is aimed primarily at system administrators that wish to adopt
|
||||||
|
newer versions of Python that implement this PEP in legacy environments that
|
||||||
|
do not yet support certificate verification on HTTPS connections. For
|
||||||
|
example, an administrator may opt out by adding the monkeypatch above to
|
||||||
|
``sitecustomize.py`` in their Standard Operating Environment for Python.
|
||||||
|
Applications and libraries SHOULD NOT be making this change process wide
|
||||||
|
(except perhaps in response to a system administrator controlled configuration
|
||||||
|
setting).
|
||||||
|
|
||||||
|
Particularly security sensitive applications should always provide an explicit
|
||||||
|
application defined SSL context rather than relying on the default behaviour
|
||||||
|
of the underlying Python implementation.
|
||||||
|
|
||||||
Other protocols
|
Other protocols
|
||||||
===============
|
===============
|
||||||
|
|
Loading…
Reference in New Issue