From: Antoine Pitrou Date: Sun, 17 Nov 2013 14:35:33 +0000 (+0100) Subject: Issue #19508: direct the user to read the security considerations for the ssl module X-Git-Tag: v3.4.0b1~225^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9eefe91fc2922de7ae7eee2e55d17ea452468083;p=thirdparty%2FPython%2Fcpython.git Issue #19508: direct the user to read the security considerations for the ssl module --- diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 1c5c3551601c..c4e171276729 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -29,12 +29,10 @@ probably additional platforms, as long as OpenSSL is installed on that platform. cause variations in behavior. .. warning:: + Don't use this module without reading the :ref:`ssl-security`. Doing so + may lead to a false sense of security, as the default settings of the + ssl module are not necessarily appropriate for your application. - OpenSSL's internal random number generator does not properly handle fork. - Applications must change the PRNG state of the parent process if they use - any SSL feature with :func:`os.fork`. Any successful call of - :func:`~ssl.RAND_add`, :func:`~ssl.RAND_bytes` or - :func:`~ssl.RAND_pseudo_bytes` is sufficient. This section documents the objects and functions in the ``ssl`` module; for more general information about TLS, SSL, and certificates, the reader is referred to @@ -1314,6 +1312,17 @@ format `_. If you want to check which ciphers are enabled by a given cipher list, use the ``openssl ciphers`` command on your system. +Multi-processing +^^^^^^^^^^^^^^^^ + +If using this module as part of a multi-processed application (using, +for example the :mod:`multiprocessing` or :mod:`concurrent.futures` modules), +be aware that OpenSSL's internal random number generator does not properly +handle forked processes. Applications must change the PRNG state of the +parent process if they use any SSL feature with :func:`os.fork`. Any +successful call of :func:`~ssl.RAND_add`, :func:`~ssl.RAND_bytes` or +:func:`~ssl.RAND_pseudo_bytes` is sufficient. + .. seealso::