[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

Ronald Oussoren ronaldoussoren at mac.com
Tue Jun 4 12:20:35 CEST 2013

On 3 Jun, 2013, at 7:58, Benjamin Peterson <benjamin at python.org> wrote:

> 2013/6/2 Donald Stufft <donald at stufft.io>:
>> As of right now, as far as I can tell, Python does not validate HTTPS
>> certificates by default. As far as I can tell this is because there is no
>> guaranteed certificates available.
>> So I would like to propose that CPython adopt the Mozilla SSL certificate
>> list and include it in core, and switch over the API's so that they verify
>> HTTPS by default.
> +1
>> Ideally this would take the shape of attempting to locate the system
>> certificate store if possible, and if that doesn't work falling back to the
>> bundled certificates. That way the various Linux distros can easily have
>> their copies of Python depend soley on their built in certs, but Windows,
>> OSX, Source compiles etc will all still have a fallback value.
> My preference would be actually be for the included certificates file
> to be used by default. This would provide a consistent experience
> across platforms. We could provide options to look for system cert
> repositories if desired.

I'd prefer to use the system CA list when that's available. I've had to hunt down the CA list for a number of application when a custom CA for internal use and that's not fun, using the system list is much friendlier to users. 


More information about the Python-Dev mailing list