[Python-Dev] Simplify and unify SSL verification

Barry Warsaw barry at python.org
Fri Nov 8 00:09:40 CET 2013

On Nov 07, 2013, at 10:42 PM, Christian Heimes wrote:

>You misunderstood me. I'm not proposing a global SSLContext object but a
>factory function that creates a context for Python stdlib modules. Right
>now every urllib, http.client, nntplib, asyncio, ftplib, poplib and
>imaplib have duplicated code. I'd like to have ONE function that creates
>and configures a SSLContext object with sensible default values for
>Python stdlib.

I'm sure you're considering this, but I want to explicitly preserve the
ability to register self-signed certificates.  It's often necessary in
practice, but very useful for testing purposes.

ssl.SSLContext.load_cert_chain() is the way to do this, but will this be
exposed in your proposed factory function?  If not, then I think it's
critically important that whatever API is exposed in the client code not hide
the SSLContext object, such that clients of the client code can load up those
self-signed certificates after the context has been created.


More information about the Python-Dev mailing list