@@ -1882,13 +1882,15 @@ to speed up repeated connections from the same clients.
18821882 :meth: `~SSLContext.wrap_socket ` in order to match the hostname. Enabling
18831883 hostname checking automatically sets :attr: `~SSLContext.verify_mode ` from
18841884 :data: `CERT_NONE ` to :data: `CERT_REQUIRED `. It cannot be set back to
1885- :data: `CERT_NONE ` as long as hostname checking is enabled.
1885+ :data: `CERT_NONE ` as long as hostname checking is enabled. The
1886+ :data: `PROTOCOL_TLS_CLIENT ` protocol enables hostname checking by default.
1887+ With other protocols, hostname checking must be enabled explicitly.
18861888
18871889 Example::
18881890
18891891 import socket, ssl
18901892
1891- context = ssl.SSLContext()
1893+ context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2 )
18921894 context.verify_mode = ssl.CERT_REQUIRED
18931895 context.check_hostname = True
18941896 context.load_default_certs()
@@ -2217,19 +2219,23 @@ If you prefer to tune security settings yourself, you might create
22172219a context from scratch (but beware that you might not get the settings
22182220right)::
22192221
2220- >>> context = ssl.SSLContext()
2221- >>> context.verify_mode = ssl.CERT_REQUIRED
2222- >>> context.check_hostname = True
2222+ >>> context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
22232223 >>> context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt")
22242224
22252225(this snippet assumes your operating system places a bundle of all CA
22262226certificates in ``/etc/ssl/certs/ca-bundle.crt ``; if not, you'll get an
22272227error and have to adjust the location)
22282228
2229+ The :data: `PROTOCOL_TLS_CLIENT ` protocol configures the context for cert
2230+ validation and hostname verification. :attr: `~SSLContext.verify_mode ` is
2231+ set to :data: `CERT_REQUIRED ` and :attr: `~SSLContext.check_hostname ` is set
2232+ to ``True ``. All other protocols create SSL contexts with insecure defaults.
2233+
22292234When you use the context to connect to a server, :const: `CERT_REQUIRED `
2230- validates the server certificate: it ensures that the server certificate
2231- was signed with one of the CA certificates, and checks the signature for
2232- correctness::
2235+ and :attr: `~SSLContext.check_hostname ` validate the server certificate: it
2236+ ensures that the server certificate was signed with one of the CA
2237+ certificates, checks the signature for correctness, and verifies other
2238+ properties like validity and identity of the hostname::
22332239
22342240 >>> conn = context.wrap_socket(socket.socket(socket.AF_INET),
22352241 ... server_hostname="www.python.org")
0 commit comments