python · nitram2342 · Nov 17, 2023 · Nov 17, 2023 · Nov 17, 2023 · Nov 17, 2023
@@ -698,3 +698,4 @@ peps/pep-8016.rst  @njsmith @dstufft
 peps/pep-8100.rst  @njsmith
 # peps/pep-8101.rst
 # peps/pep-8102.rst
+peps/pep-8106.rst  @vstinner
diff --git a/peps/pep-8106.rst b/peps/pep-8106.rst
@@ -0,0 +1,91 @@
+PEP: 8106
+Title: Enabling certificate verification by default for stdlib mail modules
+Version: $Revision$
+Last-Modified: $Date$
+Author: Martin Schobert <[email protected]>
+Status: Draft
+Type: Standards Track
+Content-Type: text/x-rst
+Created: 17-Nov-2023
+Sponsor: @vstinner 
+
+Abstract
+========
+
+The Python mail libraries such as ``smtplib``, ``imaplib`` and ``pop3lib``
+do not verify server certificates per default, when a client based on these
+mail libraries connects to a server via TLS. Any server certificate is
+accepted per default. This means, a client can't ensure that it connects
+to the server to which the connection was intended.
+
+This allows an active attacker in a machine-in-the-middle postion to intercept
+communication, read mail contents, credentials or may abuse an SMTP server
+for spaming.
+
+This PEP proposes to enable verification of X509 certificates for Python's
+mail clients by default, subject to opt-out on a per-call basis. This change
+would be applied to all maintained Python versions.
+
+Rationale
+=========
+
+It can be expected that a Python mail client, written in the most simple way, is
+secure by default. If progam code wants to insecurely connect to a server, this
+action should require and explicit confirmation. Not verifying a server certificate
+and accepting it violates PEP 20's principle "errors should never pass silently."
+
+It can also be expected that Python standard libraries behave in a consitent way.
+While Python's HTTP stdlib modules verify server certificates per default after
+implementing the change request from PEP 476, developers may expect Python mail
+libraries to behave similar.
+
+The failure of various applications to note Python's negligence in this matter
+is a source of vulnerabilities [#]_ [#]_ [#]_ [#]_.
+
+.. [#] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39441
+.. [#] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38686
+.. [#] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39441
+.. [#] https://www.pentagrid.ch/en/blog/python-mail-libraries-certificate-verification/
+
+Technical Details
+=================
+
+Python would use the system provided certificate database on all platforms.
+Failure to locate such a database would be an error, and users would need to
+explicitly specify a location to fix it.
+
+Python will change the ``_create_stdlib_context`` as default context in the
+mail libraries with ``ssl.create_default_context``.
+
+If a developer wants to disable certificate verification, an explicitly created
+SSL/TLS context may be passed that has been created with ``_create_unverified_context``.
+
+Trust database
+--------------
+
+This PEP proposes using the system-provided certificate database.
+
+
+Opting out
+----------
+
+For users who wish to opt out of certificate verification on a single
+connection, they can achieve this by providing the ``ssl_context``
+for ``imaplib.IMAP4_SSL`` respectively ``context`` for ``smtplib.SMTP_SSL`` and
+``poplib.POP3_SSL``.
+
+
+
+Copyright
+=========
+
+This document has been placed into the public domain.
+
+
+..
+   Local Variables:
+   mode: indented-text
+   indent-tabs-mode: nil
+   sentence-end-double-space: t
+   fill-column: 70
+   coding: utf-8