diff options
author | Benjamin Peterson <benjamin@python.org> | 2014-11-03 14:29:33 -0500 |
---|---|---|
committer | Benjamin Peterson <benjamin@python.org> | 2014-11-03 14:29:33 -0500 |
commit | 56af18f1d69b51f08748d3bb537835b75c291525 (patch) | |
tree | 3419f151c61ade21d74dc30a833a1cecd10b8816 /Doc/whatsnew/3.4.rst | |
parent | a013b6cf543ba561f4960e17d9ee0973c47c31e1 (diff) | |
download | cpython-56af18f1d69b51f08748d3bb537835b75c291525.tar.gz |
PEP 476: enable HTTPS certificate verification by default (#22417)
Patch by Alex Gaynor with some modifications by me.
Diffstat (limited to 'Doc/whatsnew/3.4.rst')
-rw-r--r-- | Doc/whatsnew/3.4.rst | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/Doc/whatsnew/3.4.rst b/Doc/whatsnew/3.4.rst index 7129f54c69..bc3a6cc8ad 100644 --- a/Doc/whatsnew/3.4.rst +++ b/Doc/whatsnew/3.4.rst @@ -2504,3 +2504,32 @@ Changes in the C API * The ``f_tstate`` (thread state) field of the :c:type:`PyFrameObject` structure has been removed to fix a bug: see :issue:`14432` for the rationale. + +Changed in 3.4.3 +================ + +.. _pep-476: + +PEP 476: Enabling certificate verification by default for stdlib http clients +----------------------------------------------------------------------------- + +:mod:`http.client` and modules which use it, such as :mod:`urllib.request` and +:mod:`xmlrpc.client`, will now verify that the server presents a certificate +which is signed by a CA in the platform trust store and whose hostname matches +the hostname being requested by default, significantly improving security for +many applications. + +For applications which require the old previous behavior, they can pass an +alternate context:: + + import urllib.request + import ssl + + # This disables all verification + context = ssl._create_unverified_context() + + # This allows using a specific certificate for the host, which doesn't need + # to be in the trust store + context = ssl.create_default_context(cafile="/path/to/file.crt") + + urllib.request.urlopen("https://invalid-cert", context=context) |