[issue10795] standard library do not use ssl as recommended

Antoine Pitrou report at bugs.python.org
Thu Mar 10 17:57:07 CET 2011

Antoine Pitrou <pitrou at free.fr> added the comment:

> I'd rather recommend a different approach, where the set of CAs
> doesn't need to be specified for every module that directly or
> indirectly uses SSL. Instead, there should be support for a
> thread-local setting of the allowable CAs, and then no API changes are
> necessary.

While thread-local variables are fine in applications, I think they
should be avoided in libraries (especially the stdlib). There are too
many pitfalls (for example: the user decides to offload a network task
to a separate thread and different SSL parameters get silently used).

The API changes are quite simple, both in concept and in implementation.
I think explicit is really better than implicit when it comes to
security-critical parameters.


Python tracker <report at bugs.python.org>

More information about the Python-bugs-list mailing list