[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

[Donald Stufft]

On Jun 3, 2013, at 12:52 PM, Barry Warsaw <barry at python.org> wrote:

> On Jun 03, 2013, at 03:12 AM, Donald Stufft wrote:
> 
>> That's fine with me too. My only reason for wanting to use the system certs
>> first is so if someone has modified their system certs (say to include a
>> corporate cert) that it would ideally take affect for Python as well.
> 
> This reminds me of one other thing.  We have to make sure that the APIs
> (e.g urlopen()) continue to allow us to use self-signed certificates, if for
> no other reason than for testing purposes.  OTOH, taking this away would be a
> backward incompatible change in API so probably wouldn't happen anyway.
> 
> -Barry
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/donald%40stufft.io

The other additional comment I'd like to throw in here is that if we don't bundle SSL certs I think we should still verify by default (which means HTTPS urls will throw an error by default if we can't locate a certificate store) because I think the risk to people unknowingly thinking that their HTTPS urls are protected are significant enough that this "error" shouldn't be silent by default.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/f0f65aef/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/f0f65aef/attachment.pgp>