Closed numberoverzero closed 9 years ago
asyncio.open_connection
is a thin wrapper around BaseEventLoop.create_connection
which has the following note:
ssl: if given and not false, a SSL/TLS transport is created (by default a plain TCP transport is created). If ssl is a ssl.SSLContext object, this context is used to create the transport; if ssl is True, a context with some unspecified default settings is used.
The related link SSL/TLS security considerations indicates that the defaults will use the system's trusted CA certs, enable cert validation and hostname checking, and choose "reasonably secure protocol and cipher settings".
The default context is created by ssl.create_default_context
which mentions using settings PROTOCOL_SSLv23
, OP_NO_SSLv2
, and OP_NO_SSLv3
which should prevent SSL connections and only allow TLS.
These seem like reasonable defaults; re-open if I've misunderstood something.
source
https://github.com/numberoverzero/bottom/blob/e6727f7b133e7d8ad8cc46dddbfb15cb09e26d6e/bottom/__init__.py#L70-L71
It's worth checking out
asyncio.open_connection
to see whatssl=True
does, and what additional settings are available (eg. certificate validation) to harden against common attacks.