Section Number and Name:
sslwrap() removed from Python
Describe the issue:
The section recommends ssl.wrap_socket() as replacement for sslwrap. As upstream maintainer of Python's ssl module and Red Hat security engineer for IdM, I strongly advise against the function. ssl.wrap_socket() has multiple deficiencies. Most importantly the function is insecure. It doesn't validate host names and opens applications to MitM attacks. Further more the function has no option to load the system trust store, so applications have to hard-code the path to CA cert bundle. Application developers usually don't bother and rather disable cert validation. The function is also inefficient. It has to parse cert, key, and CA and create a temporary SSLContext object for every call.
Suggestions for improvement:
Please advise users to use ssl.SSLContext and ssl.SSLContext.wrap_socket() instead. Most applications can simply use ssl.create_default_context(), which creates a context with secure default settings. The default context uses the system's default trust store, too.
>>> import ssl
>>> ctx = ssl.create_default_context()
>>> ctx.wrap_socket(sock, server_hostname=HOSTNAME)
ssl.wrap_socket() will be deprecated soon, too.
Thanks a lot for your suggestion. Please review the proposed doc text and let me know if this is sufficient.
Charis, you were the original reporter in BZ#1331425, please let me know if you have any suggestions, too.
Once I get acks from both of you, I will republish RHEL 7.3, 7.4, and 7.5 Release Notes with this fix.
LGTM as well!
Thank you guys!
The updated books are now live: