OK, that changes my position for 2.7 (but not for 3.5). I had assumed there was a way to disable the cert check by changing one parameter to the urlopen() call. (And I had wanted to add that there should be a clear FAQ about the subject.) If this isn't possible that changes the situation. (But I still think that once we do have that simple change option we should do it, in a later 2.7 upgrade.)

I apologize for speaking before I had read all facts, and I'll await what you and Nick come up with.


On Wed, Sep 3, 2014 at 12:26 PM, Christian Heimes <christian@python.org> wrote:
On 03.09.2014 19:54, Guido van Rossum wrote:
> Let's take the plunge on this issue for the next 2.7 release (3.5 being
> a done deal). Yes, some people will find that they have an old script
> accessing an old service which breaks. Surely some of the other changes
> in the same 2.7 bugfix release will also break some other scripts.
> People deal with it. Probably 90% of the time it's an annoyance (but no
> worse than any other minor-release upgrade -- you should test upgrades
> before committing to them, and if all else fails, roll it back). But at
> least some of the time it will be a wake-up call and an expired
> certificate will be replaced, resulting in more security for all.

I'm +1 for Python 3.5 but -1 for Python 2.7.

The SSLContext backport will landed in Python 2.7.9 (to be released). No
Python 2 user is familiar with the feature yet. But more importantly:
None of the stdlib modules support the new feature, too. httplib,
imaplib ... they all don't take a SSLContext object as an argument.
PEP-466 does not include the backport for the network modules. Without
the context argument there is simply no clean way to configure the SSL
handshake properly.

The default settings must stay until we decide to backport the context
argument and have a way to configure the default behavior. Nick and me
are planing a PEP.


--Guido van Rossum (python.org/~guido)