On Sun, 31 Aug 2014 09:26:30 +1000 Nick Coghlan firstname.lastname@example.org wrote:
It would be good to be able to switch this on or off without having to change the code, e.g. via a command line switch and environment variable; perhaps even controlling whether or not to raise an exception or warning.
choice of trusted certificate:
Instead of hard wiring using the system CA roots into Python it would be good to just make this default and permit the user to point Python to a different set of CA roots.
This would enable using self signed certs more easily. Since these are often used for tests, demos and education, I think it's important to allow having more control of the trusted certs.
+1 for PEP with above changes.
Ditto from me.
In relation to changing the Python CLI API to offer some of the wget/curl style command line options, I like the idea of providing recipes in the docs for implementing them at the application layer, but postponing making the *default* behaviour configurable that way.
I'm against any additional environment variables and command-line options. It will only complicate and obscure the security parameters of certificate validation.
The existing knobs have already been mentioned in this thread, I won't mention them here again.