[Python-Dev] PEP 476: Enabling certificate validation by default!

Antoine Pitrou solipsis at pitrou.net
Fri Aug 29 23:55:40 CEST 2014

On Fri, 29 Aug 2014 17:11:35 -0400
Donald Stufft <donald at stufft.io> wrote:
> Another problem with this is that I don’t think it’s actually
> possible to do. Python itself isn’t validating the TLS certificates,
> OpenSSL is doing that. To my knowledge OpenSSL doesn’t
> have a way to say “please validate these certificates and if
> they don’t validate go ahead and keep going and just let me
> get a warning from it”.

Actually, there may be a solution.
In client mode, OpenSSL always verifies the server cert chain and
stores the verification result in the SSL structure. It will then only
report an error if the verify mode is not SSL_VERIFY_NONE.
(see ssl3_get_server_certificate() in s3_clnt.c)

The verification result should then be readable using
SSL_get_verify_result(), even with SSL_VERIFY_NONE.

(note this is only from reading the source code and needs verifying)

Then we could have the following transition phase:
- define a new CERT_WARN value for SSLContext.verify_mode
- use that value as the default in the HTTP stack (people who want the
  old silent default will have to set verify_mode explicitly to
- with CERT_WARN, SSL_VERIFY_NONE is passed to OpenSSL and Python
  manually calls SSL_get_verify_result() after a handshake; if there
  was a verification error, a warning is printed out

And in the following version we switch the HTTP default to



More information about the Python-Dev mailing list