From: Ned Deily Date: Tue, 12 Jun 2018 01:44:58 +0000 (-0400) Subject: bpo-31432: Clarify ssl CERT_NONE/OPTIONAL/REQUIRED docs. (GH-3530) (GH-7652) X-Git-Tag: v3.6.6rc1~1 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e25757408dc22561af9f9589c2c7e2a2fbb66ee4;p=python bpo-31432: Clarify ssl CERT_NONE/OPTIONAL/REQUIRED docs. (GH-3530) (GH-7652) The documentation for CERT_NONE, CERT_OPTIONAL, and CERT_REQUIRED were misleading and partly wrong. It fails to explain that OpenSSL behaves differently in client and server mode. Also OpenSSL does validate the cert chain everytime. With SSL_VERIFY_NONE a validation error is not fatal in client mode and does not request a client cert in server mode. Also discourage people from using CERT_OPTIONAL in client mode. --- diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index da7a86ae24..45418c7db1 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -536,20 +536,28 @@ Constants .. data:: CERT_NONE Possible value for :attr:`SSLContext.verify_mode`, or the ``cert_reqs`` - parameter to :func:`wrap_socket`. In this mode (the default), no - certificates will be required from the other side of the socket connection. - If a certificate is received from the other end, no attempt to validate it - is made. + parameter to :func:`wrap_socket`. Except for :const:`PROTOCOL_TLS_CLIENT`, + it is the default mode. With client-side sockets, just about any + cert is accepted. Validation errors, such as untrusted or expired cert, + are ignored and do not abort the TLS/SSL handshake. + + In server mode, no certificate is requested from the client, so the client + does not send any for client cert authentication. See the discussion of :ref:`ssl-security` below. .. data:: CERT_OPTIONAL Possible value for :attr:`SSLContext.verify_mode`, or the ``cert_reqs`` - parameter to :func:`wrap_socket`. In this mode no certificates will be - required from the other side of the socket connection; but if they - are provided, validation will be attempted and an :class:`SSLError` - will be raised on failure. + parameter to :func:`wrap_socket`. In client mode, :const:`CERT_OPTIONAL` + has the same meaning as :const:`CERT_REQUIRED`. It is recommended to + use :const:`CERT_REQUIRED` for client-side sockets instead. + + In server mode, a client certificate request is sent to the client. The + client may either ignore the request or send a certificate in order + perform TLS client cert authentication. If the client chooses to send + a certificate, it is verified. Any verification error immediately aborts + the TLS handshake. Use of this setting requires a valid set of CA certificates to be passed, either to :meth:`SSLContext.load_verify_locations` or as a @@ -561,6 +569,15 @@ Constants parameter to :func:`wrap_socket`. In this mode, certificates are required from the other side of the socket connection; an :class:`SSLError` will be raised if no certificate is provided, or if its validation fails. + This mode is **not** sufficient to verify a certificate in client mode as + it does not match hostnames. :attr:`~SSLContext.check_hostname` must be + enabled as well to verify the authenticity of a cert. + :const:`PROTOCOL_TLS_CLIENT` uses :const:`CERT_REQUIRED` and + enables :attr:`~SSLContext.check_hostname` by default. + + With server socket, this mode provides mandatory TLS client cert + authentication. A client certificate request is sent to the client and + the client must provide a valid and trusted certificate. Use of this setting requires a valid set of CA certificates to be passed, either to :meth:`SSLContext.load_verify_locations` or as a @@ -2272,11 +2289,6 @@ In server mode, if you want to authenticate your clients using the SSL layer (rather than using a higher-level authentication mechanism), you'll also have to specify :const:`CERT_REQUIRED` and similarly check the client certificate. - .. note:: - - In client mode, :const:`CERT_OPTIONAL` and :const:`CERT_REQUIRED` are - equivalent unless anonymous ciphers are enabled (they are disabled - by default). Protocol versions ''''''''''''''''' diff --git a/Misc/NEWS.d/next/Documentation/2017-09-13-07-14-59.bpo-31432.yAY4Z3.rst b/Misc/NEWS.d/next/Documentation/2017-09-13-07-14-59.bpo-31432.yAY4Z3.rst new file mode 100644 index 0000000000..18e5353b24 --- /dev/null +++ b/Misc/NEWS.d/next/Documentation/2017-09-13-07-14-59.bpo-31432.yAY4Z3.rst @@ -0,0 +1,2 @@ +Clarify meaning of CERT_NONE, CERT_OPTIONAL, and CERT_REQUIRED flags for +ssl.SSLContext.verify_mode.