[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

Antoine Pitrou solipsis at pitrou.net
Mon Jun 3 21:52:44 CEST 2013


On Mon, 03 Jun 2013 11:56:45 -0700
Ethan Furman <ethan at stoneleaf.us> wrote:
> On 06/03/2013 11:34 AM, Antoine Pitrou wrote:
> > On Mon, 3 Jun 2013 14:12:34 -0400
> > Donald Stufft wrote:
> >>
> >> I worry with the current situation people will just use TLS connections without realizing it's not being verified and thinking they are "safe".
> >
> > Yet there's quite a visible warning in the docs:
> > http://docs.python.org/dev/library/urllib.request.html
> 
> As has been been mentioned elsewhere, at the very least we should change cadefault to True for secure-type connections. 
>   The dangerous/unexpected behavior should not be the default.

cadefault=True will probably be fail if the system certs are not
properly configured in OpenSSL, e.g. under Windows or with a hand-made
OpenSSL build.
And, because of the way the OpenSSL API works, there's no way of
knowing if it is the case or not:
http://docs.python.org/3.4/library/ssl.html#ssl.SSLContext.set_default_verify_paths

While I'm not saying we shouldn't try to verify certs by default, doing
so is a little more delicate than "setting cadefault to True",
unfortunately. Bundling our own CA cert store is an option, assuming
Donald or someone else wants to take responsibility for it.

Regards

Antoine.




More information about the Python-Dev mailing list