On Jun 3, 2013, at 1:58 AM, Benjamin Peterson <benjamin@python.org> wrote:

2013/6/2 Donald Stufft <donald@stufft.io>:
As of right now, as far as I can tell, Python does not validate HTTPS
certificates by default. As far as I can tell this is because there is no
guaranteed certificates available.

So I would like to propose that CPython adopt the Mozilla SSL certificate
list and include it in core, and switch over the API's so that they verify
HTTPS by default.


Ideally this would take the shape of attempting to locate the system
certificate store if possible, and if that doesn't work falling back to the
bundled certificates. That way the various Linux distros can easily have
their copies of Python depend soley on their built in certs, but Windows,
OSX, Source compiles etc will all still have a fallback value.

My preference would be actually be for the included certificates file
to be used by default. This would provide a consistent experience
across platforms. We could provide options to look for system cert
repositories if desired.

That's fine with me too. My only reason for wanting to use the system certs first is so
if someone has modified their system certs (say to include a corporate cert) that it
would ideally take affect for Python as well.

But honestly the Linux distros will probably modify things to use system certs anyways
and non Linux (esp Windows) probably doesn't have a way to get those system certs
into OpenSSL.


Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA