On Tue, 2 Sep 2014 14:00:02 -0700 Glyph Lefkowitz email@example.com wrote:
I would strongly recommend against such a mechanism.
For what it's worth, Twisted simply unconditionally started verifying certificates in 14.0 with no "disable" switch, and (to my knowledge) literally no users have complained.
And how many people are using Twisted as an HTTPS client? (compared to e.g. Python's httplib, and all the third-party libraries building on it?)
Furthermore, "disable verification" is a nonsensical thing to do with TLS.
It's not. For example, if you have an expired cert, all you can do AFAIK is to disable verification.