On Wed, 03 Sep 2014 16:31:13 +0200, Antoine Pitrou email@example.com wrote:
On Tue, 02 Sep 2014 21:29:16 -0400 "R. David Murray" firstname.lastname@example.org wrote:
The top proposal so far is an sslcustomize.py file that could be used to either decrease or increase the default security. This is a much less handy solution than application options (eg, curl, wget) that allow disabling security for "this cert" or "this CLI session". It also is more prone to unthinking abuse since it is persistent. So perhaps it is indeed not worth it. (That's why I suggested an environment variable...something you could specify on the command line for a one-off.)
I'll be fine with not adding any hooks at all, and letting people configure their application code correctly :-)
Again, the problem arises when it is not *their* application code, but a third party tool that hasn't been ported to 3.5.
I'm OK with letting go of this invalid-cert issue myself, given the lack of negative feedback Twisted got. I'll just keep my fingers crossed.