[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

Ben Hoyt benhoyt at gmail.com
Mon Jun 3 09:38:45 CEST 2013


Love this idea. Some third-party HTTP libraries turn this on by
default in any case (eg: requests, and I think others), so this would
mean Python would get their "safe-by-default" behaviour in its stdlib.

> > Ideally this would take the shape of attempting to locate the system
> > certificate store if possible, and if that doesn't work falling back to the
> > bundled certificates. That way the various Linux distros can easily have
> > their copies of Python depend soley on their built in certs, but Windows,
> > OSX, Source compiles etc will all still have a fallback value.
>
> My preference would be actually be for the included certificates file
> to be used by default. This would provide a consistent experience
> across platforms. We could provide options to look for system cert
> repositories if desired.

Very much agreed. When the Windows version of the mimetypes module
tried to use Windows' system mimetype mappings by default, chaos and
bugs ensued (for example, http://bugs.python.org/issue15207 and
http://bugs.python.org/issue10551).

-Ben


More information about the Python-Dev mailing list