On Aug 31, 2014, at 5:43 PM, Christian Heimes <christian@python.org> wrote:

On 31.08.2014 08:09, Nick Coghlan wrote:
As Antoine says here, I'm also opposed to adding more Python specific
configuration options. However, I think there may be something
worthwhile we can do that's closer to the way browsers work, and has
the significant benefit of being implementable as a PyPI module first
(more on that in a separate reply).

I'm on your and Antoine's side and strictly against any additional
environment variables or command line arguments. That would make the
whole validation process even more complex and harder to understand.

There might be a better option to give people and companies the option
to tune the SSL module to their needs. Python already have a
customization hook for the site module called sitecustomize. How about
another module named sslcustomize? Such a module could be used to tune
the ssl module to the needs of users, e.g. configure a different default
context, add certificates to a default context etc.

Companies could install them in a system global directory on their
servers. Users could put them in their own user site directory and even
each virtual env can have one sslcustomize of its own. It's fully
backward compatible, doesn't add any flags and developers have the full
power of Python for configuration and customization.

This may be a dumb question, but why can’t sitecustomize do this already?

Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA