[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

Paul Moore p.f.moore at gmail.com
Tue Jun 4 00:01:22 CEST 2013

On 3 June 2013 22:46, Donald Stufft <donald at stufft.io> wrote:

> Also, we should consider the issue for application users. Suppose I'm
> using a Python application that downloads something from the web. I upgrade
> to 3.4, and the app stops working because of a "will cease to work" case.
> As an end user, how can I get the app working again? Having to patch the
> sources isn't an option, and reverting to 3.3 provokes the reaction "Python
> broke my app".
> Supply a SSL vert using the environment variable?

Hmm, that would be acceptable, I guess, for many users (although Windows
users are somewhat more environment-variable-averse than Unix users). But
you say that as if it's obvious how to do that (or where to get a cert).
It's certainly not obvious to me, and if "it works in Internet Explorer",
I'd have no idea where to get a cert from that I could use in an
environment variable.

Just to repeat - I agree with the principle, but in many environments,
users are pretty much clueless about security and actively object to being
educated "for their own safety". These users will disable all security
quite happily if it stops the internal app failing, and will blame Python
for "making things harder" and breaking backward compatibility. On the
other hand, I suspect we're talking about an extremely low percentage of
cases, so let's not blow the issue out of proportion :-)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/2474bd83/attachment-0001.html>

More information about the Python-Dev mailing list