Document URL: 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.5_release_notes/chap-red_hat_enterprise_linux-7.5_release_notes-deprecated_functionality

Section Number and Name: 
sslwrap() removed from Python

Describe the issue: 
The section recommends ssl.wrap_socket() as replacement for sslwrap. As upstream maintainer of Python's ssl module and Red Hat security engineer for IdM, I strongly advise against the function. ssl.wrap_socket() has multiple deficiencies. Most importantly the function is insecure. It doesn't validate host names and opens applications to MitM attacks. Further more the function has no option to load the system trust store, so applications have to hard-code the path to CA cert bundle. Application developers usually don't bother and rather disable cert validation. The function is also inefficient. It has to parse cert, key, and CA and create a temporary SSLContext object for every call.

Suggestions for improvement: 
Please advise users to use ssl.SSLContext and ssl.SSLContext.wrap_socket() instead. Most applications can simply use ssl.create_default_context(), which creates a context with secure default settings. The default context uses the system's default trust store, too.

>>> import ssl
>>> ctx = ssl.create_default_context()
>>> ctx.wrap_socket(sock, server_hostname=HOSTNAME)


Additional information: 
ssl.wrap_socket() will be deprecated soon, too.