Skip to content

fix: Fix DeprecationWarning when setting ssl=True in remote()#2750

Open
tkukec wants to merge 2 commits into
Gallopsled:devfrom
tkukec:patch-3
Open

fix: Fix DeprecationWarning when setting ssl=True in remote()#2750
tkukec wants to merge 2 commits into
Gallopsled:devfrom
tkukec:patch-3

Conversation

@tkukec

@tkukec tkukec commented Jun 22, 2026

Copy link
Copy Markdown

The current code initializes SSLContext with ssl.PROTOCOL_TLSv1_2, which has been deprecated since Python 3.6

This should be the correct fix, according to the documentation (https://docs.python.org/3/library/ssl.html#ssl.SSLContext)

New PR against the dev branch, following the maintainer notes left in #2748


Pwntools Pull Request

Thanks for contributing to Pwntools! Take a moment to look at CONTRIBUTING.md to make sure you're familiar with Pwntools development.

Please provide a high-level explanation of what this pull request is for.

Testing

Pull Requests that introduce new code should try to add doctests for that code. See TESTING.md for more information.

Target Branch

Depending on what the PR is for, it needs to target a different branch.

You can always change the branch after you create the PR if it's against the wrong branch.

Branch Type of PR
dev New features, and enhancements
dev Documentation fixes and new tests
stable Bug fixes that affect the current stable branch
beta Bug fixes that affect the current beta branch, but not stable
dev Bug fixes for code that has never been released

Changelog

After creating your Pull Request, please add and push a commit that updates the changelog for the appropriate branch.
You can look at the existing changelog for examples of how to do this.

tkukec added 2 commits June 22, 2026 19:33
The current code initializes SSLContext with `ssl.PROTOCOL_TLSv1_2`, which has been deprecated for a while now

This should be the correct fix according to the documentation (https://docs.python.org/3/library/ssl.html#ssl.SSLContext)
@peace-maker

peace-maker commented Jun 22, 2026

Copy link
Copy Markdown
Member

PROTOCOL_TLS_CLIENT enables certificate verification of the remote certificate. Python doesn't use the system certificate store by default as it seems.

CERT_REQUIRED states that, use of this setting requires a valid set of CA certificates to be passed to SSLContext.load_verify_locations().

We need to call that with some CA store like certifi.where()? We have certifi implicitly already due to our requests dependency. Maybe add another parameter to remote to allow users to disable verifcation too now. I guess you can pass in your own sslcontext already, but that's more code than verify=False. Or maybe an example doing that in the docs is enough instead of a new parameter.

@tkukec

tkukec commented Jun 22, 2026

Copy link
Copy Markdown
Author

Ah, makes sense actually. Should've tested it more before opening a PR.

The stdlib does have SSLContext.load_default_certs() that works as expected (and passes tests).
There's also create_default_context(), a thin wrapper that sets up sensible defaults. (makes the most sense to just use this imo)

The only thing that slightly worries me is this line in SSLContext.set_default_verify_paths (which gets called by both of the above):

Unfortunately, there’s no easy way to know whether this method succeeds: no error is returned if no certificates are to be found. When the OpenSSL library is provided as part of the operating system, though, it is likely to be configured properly.

Using the certifi CA store seems like the more robust option, but I'm not sure it's needed?


For your last point, I can see how a verify=False would be implemented (or documented), but shouldn't that be separate from this bugfix pr?

@peace-maker

Copy link
Copy Markdown
Member

create_default_context sounds reasonable. Can you add an example to the docs passing in a ssl context with certificate verification disabled please? That way we can reduce friction from this change. A verify parameter is something for a different time, yes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants