On Sat, 30 Aug 2014 12:46:47 +0200 "M.-A. Lemburg" firstname.lastname@example.org wrote:
The change is to the OpenSSL API, not the OpenSSL lib. By setting the variable you enable a few special calls to the config loader functions in OpenSSL when calling the initializer it:
Ah, ok. Do you have experience with openssl.cnf? Apparently, it is meant for offline tools such as certificate generation, I am not sure how it could impact certification validation.
That use case should be served with the SSL_CERT_DIR and SSL_CERT_FILE env vars (or, better, by specific settings *inside* the application).
I'm against multiplying environment variables, as it makes it more difficult to assess the actual security of a setting. The danger of an ill-secure setting is much more severe than with hash randomization.
You have a point there. So how about just a python run-time switch and no env var ?
Well, why not, but does it have a value over letting the code properly configure their SSLContext?