[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

Donald Stufft donald at stufft.io
Mon Jun 3 18:43:32 CEST 2013

On Jun 3, 2013, at 5:51 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:

> On Mon, 3 Jun 2013 21:37:10 +1200
> Ben Hoyt <benhoyt at gmail.com> wrote:
>> I'm not familiar with Unix/Linux, but on Windows, if it's anything
>> like mimetypes it'll be really hard to get consistent behaviour across
>> different boxes/versions from the registry, or wherever certs might be
>> stored on Windows. I'd much rather have a slightly outdated but
>> consistent experience by default.
> The problem with a "slightly outdated" CA store is that it can be a
> security risk.
> Regards
> Antoine.
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/donald%40stufft.io

Tracking the Mozilla store isn't difficult. New additions can be ignored for currently released Pythons so we'd just need to watch them for blacklisting certs and roll that into a security update.

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/956e6fc3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/956e6fc3/attachment.pgp>

More information about the Python-Dev mailing list