graphql-python
AIOHTTPTransport ssl=False by default
Common problems
- TLS should be enabled by default. AIOHTTPTransport uses ssl=False by default
- I was expecting library to fail when using self signed certificate on the server.
To Reproduce
- start a server with a self signed certificate
- try connect
- it will succeed instead of failing
Expected behavior Expect connection to fail when using not trusted certificates
System info (please complete the following information):
- Any
That's pretty bad... Thanks for your report.
The annoying thing is that there are probably some people which are depending on this and changing the default will be a breaking change for them.
A major version bump will be needed to fix this.
yes, there must be a breaking change.. but a patch release could contain a warning:
- default should be changed to ssl=None
- if ssl==None: log warning and set ssl=False
yes, there must be a breaking change.. but a patch release could contain a warning:
Good idea!
Note that for the warning, the default value cannot be None.
That's because there was a change in aiohttp from version 3.10
Before aiohttp 3.10, aiohttp was using None as the default value, and would verify the certification in that case.
From aiohttp 3.10, it switched to use True as the default value.
So, someone could have used ssl=None previously with AIOHTTPTransport. He would have a typing error with mypy but it would work and gql would verify the certificate. If we set ssl to False if we receive None, then gql will not verify the cert for him in that case.
We could use another default value, like the "warning" string?
good point. Default string value sounds good enough or it could be a predefined sentinel = object() https://python-patterns.guide/python/sentinel-object/#sentinel-objects