numberoverzero
commented
9 years ago asyncio.open_connection is a thin wrapper around BaseEventLoop.create_connection which has the following note:
ssl: if given and not false, a SSL/TLS transport is created (by default a plain TCP transport is created). If ssl is a ssl.SSLContext object, this context is used to create the transport; if ssl is True, a context with some unspecified default settings is used.
The related link SSL/TLS security considerations indicates that the defaults will use the system's trusted CA certs, enable cert validation and hostname checking, and choose "reasonably secure protocol and cipher settings".
The default context is created by ssl.create_default_context which mentions using settings PROTOCOL_SSLv23, OP_NO_SSLv2, and OP_NO_SSLv3 which should prevent SSL connections and only allow TLS.
These seem like reasonable defaults; re-open if I've misunderstood something.
source
https://github.com/numberoverzero/bottom/blob/e6727f7b133e7d8ad8cc46dddbfb15cb09e26d6e/bottom/__init__.py#L70-L71
It's worth checking out
asyncio.open_connectionto see whatssl=Truedoes, and what additional settings are available (eg. certificate validation) to harden against common attacks.