Don't promote the use of ssl.CERT_OPTIONAL

behackett · behackett · commit bce5f95d7b32 · 2016-07-06T11:47:46.000-07:00
diff --git a/doc/examples/tls.rst b/doc/examples/tls.rst
@@ -51,17 +51,6 @@ Or, in the URI::
   >>> uri = 'mongodb://example.com/?ssl=true&ssl_cert_reqs=CERT_NONE'
   >>> client = pymongo.MongoClient(uri)
 
-You can also configure optional certificate verification, if a certificate is
-provided by the server::
-
-  >>> import ssl
-  >>> client = pymongo.MongoClient('example.com',
-  ...                              ssl=True,
-  ...                              ssl_cert_reqs=ssl.CERT_OPTIONAL)
-  >>>
-  >>> uri = 'mongodb://example.com/?ssl=true&ssl_cert_reqs=CERT_OPTIONAL'
-  >>> client = pymongo.MongoClient(uri)
-
 Specifying a CA file
 ....................
 
diff --git a/pymongo/mongo_client.py b/pymongo/mongo_client.py
@@ -217,14 +217,15 @@ def __init__(
           - `ssl_cert_reqs`: Specifies whether a certificate is required from
             the other side of the connection, and whether it will be validated
             if provided. It must be one of the three values ``ssl.CERT_NONE``
-            (certificates ignored), ``ssl.CERT_OPTIONAL``
-            (not required, but validated if provided), or ``ssl.CERT_REQUIRED``
-            (required and validated). If the value of this parameter is not
-            ``ssl.CERT_NONE`` and a value is not provided for ``ssl_ca_certs``
-            PyMongo will attempt to load system provided CA certificates.
-            If the python version in use does not support loading system CA
-            certificates then the ``ssl_ca_certs`` parameter must point
-            to a file of CA certificates. Implies ``ssl=True``. Defaults to
+            (certificates ignored), ``ssl.CERT_REQUIRED`` (certificates
+            required and validated), or ``ssl.CERT_OPTIONAL`` (the same as
+            CERT_REQUIRED, unless the server was configured to use anonymous
+            ciphers). If the value of this parameter is not ``ssl.CERT_NONE``
+            and a value is not provided for ``ssl_ca_certs`` PyMongo will
+            attempt to load system provided CA certificates. If the python
+            version in use does not support loading system CA certificates
+            then the ``ssl_ca_certs`` parameter must point to a file of CA
+            certificates. Implies ``ssl=True``. Defaults to
             ``ssl.CERT_REQUIRED`` if not provided and ``ssl=True``.
           - `ssl_ca_certs`: The ca_certs file contains a set of concatenated
             "certification authority" certificates, which are used to validate
