[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

Brett Cannon brett at python.org
Mon Jun 3 21:20:27 CEST 2013

On Mon, Jun 3, 2013 at 1:04 PM, Barry Warsaw <barry at python.org> wrote:

> On Jun 03, 2013, at 02:21 PM, Donald Stufft wrote:
> >The other additional comment I'd like to throw in here is that if we don't
> >bundle SSL certs I think we should still verify by default (which means
> >urls will throw an error by default if we can't locate a certificate
> store)
> >because I think the risk to people unknowingly thinking that their HTTPS
> urls
> >are protected are significant enough that this "error" shouldn't be
> silent by
> >default.
> +1, especially if we ensure that the APIs are available to not verify, as
> is
> currently the case with urlopen().  I don't think people will want to do
> that
> in production, but it will be useful for testing (e.g. guess how I found
> issues 17977 :).

+1 from me as well. Whether we bundle or simply provide a command to
download the certs I think making this default is the bare-minimum,
especially if setting nothing more than cadefault=True is all that is
needed to get this behaviour since that's backwards-compatible to Python
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/1631237a/attachment.html>

More information about the Python-Dev mailing list