Verify SSL as True by default

autophagy · mfussenegger · autophagy · commit 0ad90b0d7eff · 2020-10-29T16:13:29.000+01:00
Co-authored-by: Mathias Fußenegger &lt;mfussenegger@users.noreply.github.com&gt;
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -7,6 +7,10 @@ Unreleased
 
 - Added official Python 3.9 support.
 
+- BREAKING CHANGE: The driver now verifies SSL certificates when connecting via
+  HTTP by default. Previously, this setting defaulted to false. This setting
+  can be changed via the ``verify_ssl_cert`` connection parameter.
+
 2020/09/28 0.26.0
 =================
 
diff --git a/docs/sqlalchemy.rst b/docs/sqlalchemy.rst
@@ -105,7 +105,7 @@ the ``connect_args`` argument, like so::
 When you do this, the Database API layer will use its :ref:`round-robin
 <multiple-nodes>` implementation.
 
-The client does not validate `SSL server certificates`_ by default. To configure
+The client validates `SSL server certificates`_ by default. To configure
 this behaviour, SSL verification options can be passed in via ``connect_args``
 too::
 
diff --git a/src/crate/client/connection.py b/src/crate/client/connection.py
@@ -33,7 +33,7 @@ def __init__(self,
                  timeout=None,
                  backoff_factor=0,
                  client=None,
-                 verify_ssl_cert=False,
+                 verify_ssl_cert=True,
                  ca_cert=None,
                  error_trace=False,
                  cert_file=None,
@@ -62,7 +62,7 @@ def __init__(self,
             client used to communicate with crate.
         :param verify_ssl_cert:
             if set to ``True`` verify the servers SSL server certificate.
-            defaults to ``False``
+            defaults to ``True``
         :param ca_cert:
             a path to a CA certificate to use when verifying the SSL server
             certificate.
diff --git a/src/crate/client/doctests/sqlalchemy.txt b/src/crate/client/doctests/sqlalchemy.txt
@@ -32,7 +32,7 @@ The ``connect_args`` parameter has to be used to do so::
     ... })
     Engine(crate://)
 
-As defined in :ref:`https_connection` the client does not validate SSL server
+As defined in :ref:`https_connection` the client validates SSL server
 certificates by default. To configure this behaviour, SSL verification options
 can be given via ``connect_args`` too::
 
