On 29.08.2014 21:47, Alex Gaynor wrote:
I've just submitted PEP 476, on enabling certificate validation by default for HTTPS clients in Python. Please have a look and let me know what you think.
PEP text follows.
Thanks for the PEP. I think this is generally a good idea, but some important parts are missing from the PEP:
* transition plan:
I think starting with warnings in Python 3.5 and going for exceptions in 3.6 would make a good transition
Going straight for exceptions in 3.5 is not in line with our normal procedures for backwards incompatible changes.
It would be good to be able to switch this on or off without having to change the code, e.g. via a command line switch and environment variable; perhaps even controlling whether or not to raise an exception or warning.
* choice of trusted certificate:
Instead of hard wiring using the system CA roots into Python it would be good to just make this default and permit the user to point Python to a different set of CA roots.
This would enable using self signed certs more easily. Since these are often used for tests, demos and education, I think it's important to allow having more control of the trusted certs.