[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

Benjamin Peterson benjamin at python.org
Mon Jun 3 07:58:12 CEST 2013

2013/6/2 Donald Stufft <donald at stufft.io>:
> As of right now, as far as I can tell, Python does not validate HTTPS
> certificates by default. As far as I can tell this is because there is no
> guaranteed certificates available.
> So I would like to propose that CPython adopt the Mozilla SSL certificate
> list and include it in core, and switch over the API's so that they verify
> HTTPS by default.


> Ideally this would take the shape of attempting to locate the system
> certificate store if possible, and if that doesn't work falling back to the
> bundled certificates. That way the various Linux distros can easily have
> their copies of Python depend soley on their built in certs, but Windows,
> OSX, Source compiles etc will all still have a fallback value.

My preference would be actually be for the included certificates file
to be used by default. This would provide a consistent experience
across platforms. We could provide options to look for system cert
repositories if desired.


More information about the Python-Dev mailing list