Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gh-94199: Remove the ssl.wrap_socket() function #94203

Merged
merged 1 commit into from Jul 8, 2022
Merged

gh-94199: Remove the ssl.wrap_socket() function #94203

merged 1 commit into from Jul 8, 2022

Conversation

vstinner
Copy link
Member

@vstinner vstinner commented Jun 24, 2022
edited by bedevere-bot

Remove the ssl.wrap_socket() function, deprecated in Python 3.7:
instead, create a ssl.SSLContext object and call its
SSLContext.wrap_socket() method.

@vstinner vstinner marked this pull request as ready for review Jun 24, 2022
@vstinner
Copy link
Member Author

@vstinner vstinner commented Jun 24, 2022

I'm not sure of the Python ecosystem is ready for this :-(

A code search for ssl.wrap_socket in PyPI top 5000 projects (at 2022-01-26) found 355 matching lines in 81 projects:

  • aliyun-python-sdk-core-2.13.35
  • amqp-5.0.9
  • ansible-5.2.0
  • asyncio-3.4.3
  • awscrt-0.13.0
  • AWSIoTPythonSDK-1.4.9
  • backports.ssl_match_hostname-3.7.0.1
  • bandit-1.7.2
  • boto-2.49.0
  • cassandra-driver-3.25.0
  • cbapi-1.7.6
  • clickhouse-driver-0.2.2
  • createsend-6.1.2
  • customerio-1.4
  • distlib-0.3.4.zip
  • distribute-0.7.3.zip
  • Django-4.0.1
  • eventlet-0.33.0
  • future-0.18.2
  • gevent-21.12.0
  • geventhttpclient-1.5.3
  • geventhttpclient-wheels-1.3.1.dev3
  • graypy-2.1.0
  • gsutil-5.6
  • gunicorn-20.1.0
  • heroku3-5.1.4
  • httplib2-0.20.2
  • httpretty-1.1.4
  • hyper-0.7.0
  • IMAPClient-2.2.0.zip
  • impacket-0.9.24
  • launchdarkly-server-sdk-7.3.0
  • ldap3-2.9.1
  • mercurial-6.0.1
  • mysql-connector-2.2.9
  • mysql-connector-python-rf-2.2.2
  • newrelic-7.4.0.172
  • oci-2.55.0
  • oslo.messaging-12.11.1
  • oslo.service-2.8.0
  • pex-2.1.65
  • pg8000-1.23.0
  • pika-1.2.0
  • pip-21.3.1
  • pipenv-2022.1.8
  • pycurl-7.44.1
  • pyeapi-0.8.4
  • pyftpdlib-1.5.6
  • pygelf-0.4.2
  • pykafka-2.8.0
  • PyKMIP-0.10.0
  • pylint-2.12.2
  • pylogbeat-2.0.0
  • python-glanceclient-3.5.0
  • python-magnumclient-3.5.0
  • python-telegram-bot-13.10
  • pyvmomi-7.0.3
  • py-zabbix-1.1.7
  • rabbitpy-2.0.1
  • raven-6.10.0
  • rethinkdb-2.4.8
  • salt-3004
  • secure-smtplib-0.1.1
  • snowflake-connector-python-2.7.3
  • speedtest-cli-2.1.3
  • splunk-sdk-1.6.18
  • sqreen-1.27.4
  • stem-1.8.0
  • stomp.py-7.0.0
  • superlance-2.0.0
  • thrift-0.15.0
  • thriftpy-0.3.9
  • thriftpy2-0.4.14
  • tornado-6.1
  • urllib3-1.26.8
  • uvloop-0.16.0
  • vertica-python-1.0.3
  • wincertstore-0.2.1.zip
  • ws4py-0.5.1
  • youtube_dl-2021.12.17
  • yt-dlp-2022.1.21

@vstinner vstinner marked this pull request as draft Jun 24, 2022
@vstinner vstinner mentioned this pull request Jun 24, 2022
Open
@tiran
Copy link
Member

@tiran tiran commented Jul 8, 2022

ssl.wrap_socket() has been deprecated and documented as insecure since 3.7 (released 2018).

Any package] that still uses ssl.wrap_socket() is broken and insecure. The function neither sends a SNI TLS extension nor validates server hostname. Code is subject to CWE-295: Improper Certificate Validation and worth a CVE with at least medium severity.

tiran
tiran approved these changes Jul 8, 2022
View changes
@vstinner
pythongh-94199: Remove the ssl.wrap_socket() function
d09f060 
Remove the ssl.wrap_socket() function, deprecated in Python 3.7:
instead, create a ssl.SSLContext object and call its
sl.SSLContext.wrap_socket() method. Any package that still uses
ssl.wrap_socket() is broken and insecure. The function neither sends
a SNI TLS extension nor validates server hostname. Code is subject to
CWE-295 : Improper Certificate Validation.
@vstinner
Copy link
Member Author

@vstinner vstinner commented Jul 8, 2022

Any package] that still uses ssl.wrap_socket() is broken and insecure. The function neither sends a SNI TLS extension nor validates server hostname. Code is subject to CWE-295: Improper Certificate Validation and worth a CVE with at least medium severity.

Oh wow, that sounds scary! I updated the documentation to mention that! But I omitted the last part: "and worth a CVE with at least medium severity". I prefer to not say that in the Python documentation.

@vstinner vstinner marked this pull request as ready for review Jul 8, 2022
@vstinner vstinner merged commit 00464bb into python:main Jul 8, 2022
15 checks passed
@vstinner vstinner deleted the ssl_wrap_socket branch Jul 8, 2022
@vstinner
Copy link
Member Author

@vstinner vstinner commented Jul 8, 2022

Merged. Thanks for the review @tiran.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiran tiran

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@vstinner @tiran @bedevere-bot