Opened 4 years ago

#9268 defect new

Deprecate ssl client endpoint

Reported by: mark williams Owned by:
Priority: highest Milestone:
Component: core Keywords:
Cc: Alex Gaynor Branch:
Author:

Description

The ssl client endpoint should be deprecated or just removed.

It does not verify server certificates against any trust root unless you specify a directory of CA certificates (e.g. ssl:imap.gmail.com:993:caCertsDir=/etc/ssl/certs) or a hostname (e.g., ssl:imap.gmail.com:993:hostname=imap4.gmail.com). In the former case, it will read CA certs out of the provided directory, while in the latter case it use t.i.ssl.platformTrust to determine the location of those certs.

It will also not offer SNI or perform SNI validation without the hostname keyword argument.

This is a needlessly complicated API with unsafe defaults. Everybody should use the tls endpoint instead. Let's get rid of ssl!

Change History (0)

Note: See TracTickets for help on using tickets.