bpo-31432: Clarify ssl CERT_NONE/OPTIONAL/REQUIRED docs. (GH-3530)

The documentation for CERT_NONE, CERT_OPTIONAL, and CERT_REQUIRED were misleading and partly wrong. It fails to explain that OpenSSL behaves differently in client and server mode. Also OpenSSL does validate the cert chain everytime. With SSL_VERIFY_NONE a validation error is not fatal in client mode and does not request a client cert in server mode. Also discourage people from using CERT_OPTIONAL in client mode.
2025-08-03 08:34:29 +00:00 · 2018-06-12 00:59:45 +02:00 · 2018-06-12 00:59:45 +02:00 · ef24b6c54d
commit ef24b6c54d
parent 4b704f29f5
4 changed files with 32 additions and 16 deletions
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@ -4074,7 +4074,9 @@ class ThreadedTests(unittest.TestCase):
                self.assertTrue(session)
                with self.assertRaises(TypeError) as e:
                    s.session = object
-                self.assertEqual(str(e.exception), 'Value is not a SSLSession.')
+                self.assertEqual(
+                    str(e.exception), 'Value is not an SSLSession.'
+                )

            with client_context.wrap_socket(socket.socket(),
                                            server_hostname=hostname) as s: