From: Antoine Pitrou Date: Sun, 23 Mar 2014 15:31:08 +0000 (+0100) Subject: Issue #20913: make it clear that create_default_context() also enables hostname checking X-Git-Tag: v3.5.0a1~2044^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f8cbbbb652caf694661ab0ee8a4858fc7692c59a;p=python Issue #20913: make it clear that create_default_context() also enables hostname checking --- diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index e0b8eeceef..1673da7368 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -1626,7 +1626,8 @@ For **client use**, if you don't have any special requirements for your security policy, it is highly recommended that you use the :func:`create_default_context` function to create your SSL context. It will load the system's trusted CA certificates, enable certificate -validation, and try to choose reasonably secure protocol and cipher settings. +validation and hostname checking, and try to choose reasonably secure +protocol and cipher settings. For example, here is how you would use the :class:`smtplib.SMTP` class to create a trusted, secure connection to a SMTP server:: @@ -1641,9 +1642,9 @@ If a client certificate is needed for the connection, it can be added with :meth:`SSLContext.load_cert_chain`. By contrast, if you create the SSL context by calling the :class:`SSLContext` -constructor yourself, it will not have certificate validation enabled by -default. If you do so, please read the paragraphs below to achieve a good -security level. +constructor yourself, it will not have certificate validation nor hostname +checking enabled by default. If you do so, please read the paragraphs below +to achieve a good security level. Manual settings ^^^^^^^^^^^^^^^