[Python-Dev] PEP 476: Enabling certificate validation by default!

M.-A. Lemburg mal at egenix.com
Fri Aug 29 22:00:00 CEST 2014

On 29.08.2014 21:47, Alex Gaynor wrote:
> Hi all,
> I've just submitted PEP 476, on enabling certificate validation by default for
> HTTPS clients in Python. Please have a look and let me know what you think.
> PEP text follows.

Thanks for the PEP. I think this is generally a good idea,
but some important parts are missing from the PEP:

 * transition plan:

   I think starting with warnings in Python 3.5 and going
   for exceptions in 3.6 would make a good transition

   Going straight for exceptions in 3.5 is not in line with
   our normal procedures for backwards incompatible changes.

 * configuration:

   It would be good to be able to switch this on or off
   without having to change the code, e.g. via a command
   line switch and environment variable; perhaps even
   controlling whether or not to raise an exception or

 * choice of trusted certificate:

   Instead of hard wiring using the system CA roots into
   Python it would be good to just make this default and
   permit the user to point Python to a different set of
   CA roots.

   This would enable using self signed certs more easily.
   Since these are often used for tests, demos and education,
   I think it's important to allow having more control of
   the trusted certs.

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Aug 29 2014)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
2014-08-27: Released eGenix PyRun 2.0.1 ...       http://egenix.com/go62
2014-09-19: PyCon UK 2014, Coventry, UK ...                21 days to go
2014-09-27: PyDDF Sprint 2014 ...                          29 days to go

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Python-Dev mailing list