1. smtplib.SMTP_SSL
In the Python 3 Docs at smtplib.SMTP_SSL it says:
class smtplib.SMTP_SSL(host='', port=0, local_hostname=None, keyfile=None, certfile=None, [timeout, ]context=None, source_address=None)(...) context, also optional, can contain a
SSLContextand allows configuring various aspects of the secure connection. Please read Security considerations for best practices.
2. Security considerations article
So read the above mentioned Security considerations where it says:
(...) it is highly recommended that you use the
create_default_context()function to create your SSL context.
and
(...) if you create the SSL context by calling the
SSLContextconstructor yourself, it will not have certificate validation nor hostname checking enabled by default.
So it seems like I definitively want the former: create_default_context for the SSL context.
3. smtplib.py
I had a quick look at smtplib.py to see what happens, if I omit the context argument of smtplib.SMTP_SSL:
if context is None: context = ssl._create_stdlib_context(certfile=certfile, keyfile=keyfile)
So there is a call to ssl._create_stdlib_context which seems different from the recommended ssl.create_default_context from the Security considerations article.
4. ssl.py
At the function docstring in ssl.py I found:
All Python stdlib modules shall use this function to create SSLContext objects in order to keep common settings in one place. The configuration is less restrict than create_default_context()'s to increase backward compatibility.
5. Question
How am I supposed to call smtplib.SMTP_SSL according to the Security considerations article? It seems like I really need to "manually" call create_default_context to create a context each time?
server = smtplib.SMTP_SSL(context=ssl.create_default_context())
Or is
server = smtplib.SMTP_SSL()
enough? And why?
Thank you so much :-)
