[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
Antoine Pitrou
solipsis at pitrou.net
Mon Jun 3 11:22:05 CEST 2013
On Sun, 2 Jun 2013 22:57:15 -0700
Chris Rebert <clp2 at rebertia.com> wrote:
> On Jun 2, 2013 10:22 PM, "Donald Stufft" <donald at stufft.io> wrote:
> >
> > As of right now, as far as I can tell, Python does not validate HTTPS certificates by default. As far as I can tell this is because there is no guaranteed certificates available.
>
> Relevant: http://bugs.python.org/issue13647
>
> > So I would like to propose that CPython adopt the Mozilla SSL certificate list and include it in core, and switch over the API's so that they verify HTTPS by default. This is what most people are going to expect when using a https url (Especially after learning that Python 2.x doesn't verify TLS, but Python 3.x "does").
> >
> > Ideally this would take the shape of attempting to locate the system certificate store if possible, and if that doesn't work falling back to the bundled certificates. That way the various Linux distros can easily have their copies of Python depend solely on their built in certs, but Windows, OSX, Source compiles etc will all still have a fallback value.
>
> There's an existing request for this:
> http://bugs.python.org/issue13655
See also http://bugs.python.org/issue17134
Regards
Antoine.
More information about the Python-Dev
mailing list