gh-94199: Remove the ssl.wrap_socket() function (#94203)

Remove the ssl.wrap_socket() function, deprecated in Python 3.7: instead, create a ssl.SSLContext object and call its sl.SSLContext.wrap_socket() method. Any package that still uses ssl.wrap_socket() is broken and insecure. The function neither sends a SNI TLS extension nor validates server hostname. Code is subject to CWE-295 : Improper Certificate Validation.
2025-07-07 19:35:27 +00:00 · 2022-07-08 15:20:15 +02:00 · 2022-07-08 15:20:15 +02:00 · 00464bbed6
commit 00464bbed6
parent 23ee4a8067
4 changed files with 16 additions and 60 deletions
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@ -1357,36 +1357,6 @@ SSLContext.sslsocket_class = SSLSocket
 SSLContext.sslobject_class = SSLObject


-def wrap_socket(sock, keyfile=None, certfile=None,
-                server_side=False, cert_reqs=CERT_NONE,
-                ssl_version=PROTOCOL_TLS, ca_certs=None,
-                do_handshake_on_connect=True,
-                suppress_ragged_eofs=True,
-                ciphers=None):
-    warnings.warn(
-        "ssl.wrap_socket() is deprecated, use SSLContext.wrap_socket()",
-        category=DeprecationWarning,
-        stacklevel=2
-    )
-    if server_side and not certfile:
-        raise ValueError("certfile must be specified for server-side "
-                         "operations")
-    if keyfile and not certfile:
-        raise ValueError("certfile must be specified")
-    context = SSLContext(ssl_version)
-    context.verify_mode = cert_reqs
-    if ca_certs:
-        context.load_verify_locations(ca_certs)
-    if certfile:
-        context.load_cert_chain(certfile, keyfile)
-    if ciphers:
-        context.set_ciphers(ciphers)
-    return context.wrap_socket(
-        sock=sock, server_side=server_side,
-        do_handshake_on_connect=do_handshake_on_connect,
-        suppress_ragged_eofs=suppress_ragged_eofs
-    )
-
 # some utility functions

 def cert_time_to_seconds(cert_time):