Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gh-94199: Remove the ssl.wrap_socket() function #94203

Merged
merged 1 commit into from
Jul 8, 2022
Merged

gh-94199: Remove the ssl.wrap_socket() function #94203

merged 1 commit into from
Jul 8, 2022

Conversation

vstinner
Copy link
Member

@vstinner vstinner commented Jun 24, 2022
edited by bedevere-bot
Loading

Remove the ssl.wrap_socket() function, deprecated in Python 3.7:
instead, create a ssl.SSLContext object and call its
SSLContext.wrap_socket() method.

@vstinner vstinner marked this pull request as ready for review June 24, 2022 08:41
@vstinner
Copy link
Member Author

I'm not sure of the Python ecosystem is ready for this :-(

A code search for ssl.wrap_socket in PyPI top 5000 projects (at 2022-01-26) found 355 matching lines in 81 projects:

  • aliyun-python-sdk-core-2.13.35
  • amqp-5.0.9
  • ansible-5.2.0
  • asyncio-3.4.3
  • awscrt-0.13.0
  • AWSIoTPythonSDK-1.4.9
  • backports.ssl_match_hostname-3.7.0.1
  • bandit-1.7.2
  • boto-2.49.0
  • cassandra-driver-3.25.0
  • cbapi-1.7.6
  • clickhouse-driver-0.2.2
  • createsend-6.1.2
  • customerio-1.4
  • distlib-0.3.4.zip
  • distribute-0.7.3.zip
  • Django-4.0.1
  • eventlet-0.33.0
  • future-0.18.2
  • gevent-21.12.0
  • geventhttpclient-1.5.3
  • geventhttpclient-wheels-1.3.1.dev3
  • graypy-2.1.0
  • gsutil-5.6
  • gunicorn-20.1.0
  • heroku3-5.1.4
  • httplib2-0.20.2
  • httpretty-1.1.4
  • hyper-0.7.0
  • IMAPClient-2.2.0.zip
  • impacket-0.9.24
  • launchdarkly-server-sdk-7.3.0
  • ldap3-2.9.1
  • mercurial-6.0.1
  • mysql-connector-2.2.9
  • mysql-connector-python-rf-2.2.2
  • newrelic-7.4.0.172
  • oci-2.55.0
  • oslo.messaging-12.11.1
  • oslo.service-2.8.0
  • pex-2.1.65
  • pg8000-1.23.0
  • pika-1.2.0
  • pip-21.3.1
  • pipenv-2022.1.8
  • pycurl-7.44.1
  • pyeapi-0.8.4
  • pyftpdlib-1.5.6
  • pygelf-0.4.2
  • pykafka-2.8.0
  • PyKMIP-0.10.0
  • pylint-2.12.2
  • pylogbeat-2.0.0
  • python-glanceclient-3.5.0
  • python-magnumclient-3.5.0
  • python-telegram-bot-13.10
  • pyvmomi-7.0.3
  • py-zabbix-1.1.7
  • rabbitpy-2.0.1
  • raven-6.10.0
  • rethinkdb-2.4.8
  • salt-3004
  • secure-smtplib-0.1.1
  • snowflake-connector-python-2.7.3
  • speedtest-cli-2.1.3
  • splunk-sdk-1.6.18
  • sqreen-1.27.4
  • stem-1.8.0
  • stomp.py-7.0.0
  • superlance-2.0.0
  • thrift-0.15.0
  • thriftpy-0.3.9
  • thriftpy2-0.4.14
  • tornado-6.1
  • urllib3-1.26.8
  • uvloop-0.16.0
  • vertica-python-1.0.3
  • wincertstore-0.2.1.zip
  • ws4py-0.5.1
  • youtube_dl-2021.12.17
  • yt-dlp-2022.1.21

@vstinner vstinner marked this pull request as draft June 24, 2022 08:51
@vstinner vstinner mentioned this pull request Jun 24, 2022
Closed
@tiran
Copy link
Member

tiran commented Jul 8, 2022

ssl.wrap_socket() has been deprecated and documented as insecure since 3.7 (released 2018).

Any package] that still uses ssl.wrap_socket() is broken and insecure. The function neither sends a SNI TLS extension nor validates server hostname. Code is subject to CWE-295: Improper Certificate Validation and worth a CVE with at least medium severity.

@vstinner
gh-94199: Remove the ssl.wrap_socket() function
d09f060 
Remove the ssl.wrap_socket() function, deprecated in Python 3.7:
instead, create a ssl.SSLContext object and call its
sl.SSLContext.wrap_socket() method. Any package that still uses
ssl.wrap_socket() is broken and insecure. The function neither sends
a SNI TLS extension nor validates server hostname. Code is subject to
CWE-295 : Improper Certificate Validation.
@vstinner
Copy link
Member Author

vstinner commented Jul 8, 2022

Any package] that still uses ssl.wrap_socket() is broken and insecure. The function neither sends a SNI TLS extension nor validates server hostname. Code is subject to CWE-295: Improper Certificate Validation and worth a CVE with at least medium severity.

Oh wow, that sounds scary! I updated the documentation to mention that! But I omitted the last part: "and worth a CVE with at least medium severity". I prefer to not say that in the Python documentation.

@vstinner vstinner marked this pull request as ready for review July 8, 2022 13:19
@vstinner vstinner merged commit 00464bb into python:main Jul 8, 2022
@vstinner vstinner deleted the ssl_wrap_socket branch July 8, 2022 13:20
@vstinner
Copy link
Member Author

vstinner commented Jul 8, 2022

Merged. Thanks for the review @tiran.

@shreya1312 shreya1312 mentioned this pull request Jul 23, 2022
Closed
@Ousret Ousret mentioned this pull request Nov 5, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiran tiran tiran approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vstinner @tiran @bedevere-bot