[issue10795] standard library do not use ssl as recommended
Antoine Pitrou
report at bugs.python.org
Thu Mar 10 17:57:07 CET 2011
Antoine Pitrou <pitrou at free.fr> added the comment:
> I'd rather recommend a different approach, where the set of CAs
> doesn't need to be specified for every module that directly or
> indirectly uses SSL. Instead, there should be support for a
> thread-local setting of the allowable CAs, and then no API changes are
> necessary.
While thread-local variables are fine in applications, I think they
should be avoided in libraries (especially the stdlib). There are too
many pitfalls (for example: the user decides to offload a network task
to a separate thread and different SSL parameters get silently used).
The API changes are quite simple, both in concept and in implementation.
I think explicit is really better than implicit when it comes to
security-critical parameters.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue10795>
_______________________________________
More information about the Python-bugs-list
mailing list