[issue10441] some stdlib modules need to be updated to handle SSL certificate validation
david
report at bugs.python.org
Fri Nov 19 02:46:47 CET 2010
david <db.pub.mail at gmail.com> added the comment:
On 19 November 2010 04:40, Martin v. Löwis <report at bugs.python.org> wrote:
>
> Martin v. Löwis <martin at v.loewis.de> added the comment:
>
>>> This may not be satisfying to users. For example, our Windows
>>> distribution doesn't ship with any certicates (AFAIK); I have no
>>> clue where exactly OpenSSL would be looking for them, either.
>>> People worried about this problem probably would want a way to
>>> fill the list of trusted CA certificates.
>>>
>>
>> Martin does it matter?
>> To be honest I don't know about that many client side python windows
>> applications for which this is a problem for. Maybe I am mistaken.
>
> I can't understand why you are saying that. The very same issues
> that people perceive as problems on Unix ("users can be victim
> to man in the middle attack") also exist on Windows. If you run
> a Python script that does https on Windows, you can *also* be
> MITM-victim (as likely as you can on Unix, that is).
>
> Or are you suggesting that Python Windows applications don't use SSL?
>
>> If
>> this is the case, then how do these projects work at the moment? (or
>> do they just not care about this...) .
>
> "The projects" may be scripts that somebody developed that never get
> released. But yes, most people ignore/accept the problem (often as
> gruntingly as the Unix users).
>
>> However, they could bundle
>> their own certificates, so I don't see this as an issue.
>
> Who is "they"? Most people get their Python binaries from python.org,
> and they don't build "applications" from it, but run "scripts".
>
>> However, you seem confused here:
>> " I have no
>>> clue where exactly OpenSSL would be looking for them, either.
>>> People worried about this problem probably would want a way to
>>> fill the list of trusted CA certificates."
>>
>> Erh, those people can already do this, but the problem is by default
>> none are selected.
>
> You misunderstood. I was not proposing that scripts provide a CA
> list, but that users might deploy a CA list into their Python
> installation, which is then picked up in the same way as you are asking
> for on Ubuntu.
No I did not misunderstand at all.
I am pushing for safer defaults or a way to enable safe defaults.
Having to tamper with my python path and point at a modified version
of the ssl module doesn't sound like fun.
OH windows users those guys. Well if they don't have any certificates
at the moment and they don't know this, perhaps some one should tell
them?
I don't know I am not a windows python user.
----------
title: some stdlib modules need to be updated to handle SSL certificate validation -> some stdlib modules need to be updated to handle SSL certificate validation
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue10441>
_______________________________________
More information about the Python-bugs-list
mailing list