On 3 September 2014 01:19, Antoine Pitrou firstname.lastname@example.org wrote:
Keeping saying it doesn't make it magically true.
Sure, but it *is* true, at the very least for HTTP.
RFC 2818 (HTTP over TLS) has the following language in section 3.1:
If the hostname is available, the client MUST check it against the server's identity as presented in the server's Certificate message, in order to prevent man-in-the-middle attacks.
If the client has external information as to the expected identity of the server, the hostname check MAY be omitted.
The default behaviour of httplib is in contravention of the normative language of this specification and is therefore bugged. (For those unclear about the relevance of RFC 2818, it's normatively referenced by RFC 7230, which is the HTTP/1.1 spec.)
This should silence the debate about whether or not httplib's behaviour is a bug or not.
Besides, it can perfectly well be a bug fix *as well as* a break in backwards compatibility.
This is definitely true, and this change is both. The only question that matters is whether we believe we're doing users a service by breaking their code. I'd argue, along with Glyph, Alex and Donald, that we are. I've been on the losing side of this debate a number of times though, and I expect I will be again.