[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

Ben Darnell ben at bendarnell.com
Mon Jun 3 15:05:14 CEST 2013


On Mon, Jun 3, 2013 at 1:20 AM, Donald Stufft <donald at stufft.io> wrote:

> As of right now, as far as I can tell, Python does not validate HTTPS
> certificates by default. As far as I can tell this is because there is no
> guaranteed certificates available.
>
> So I would like to propose that CPython adopt the Mozilla SSL certificate
> list and include it in core, and switch over the API's so that they verify
> HTTPS by default. This is what most people are going to expect when using a
> https url (Especially after learning that Python 2.x doesn't verify TLS,
> but Python 3.x "does").
>
> Ideally this would take the shape of attempting to locate the system
> certificate store if possible, and if that doesn't work falling back to the
> bundled certificates. That way the various Linux distros can easily have
> their copies of Python depend soley on their built in certs, but Windows,
> OSX, Source compiles etc will all still have a fallback value.
>

+1.  I bundle a copy of the Mozilla CA list with Tornado, but would love to
access the system's CA roots and/or use a Python-provided copy.  I'd prefer
to use the certificates from the operating system when possible, as that
list is most likely to receive timely security updates (or be updated with
a local corporate CA, for example).  It's better to aim for consistency
with the user's browser than consistency of Python applications across
different installations.

The data is analogous to the time zone database (PEP 431) in that it may
need to be updated independently of Python's own release schedule, so we
may want to use similar techniques to manage both.  Also see certifi (
https://pypi.python.org/pypi/certifi), which is a copy of the Mozilla list
in a pip-installable form.

-Ben


>
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372
> DCFA
>
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> http://mail.python.org/mailman/options/python-dev/ben%40bendarnell.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/95d2c9fc/attachment.html>


More information about the Python-Dev mailing list