[Python-Dev] PEP 476: Enabling certificate validation by default!

Antoine Pitrou solipsis at pitrou.net
Fri Aug 29 23:57:41 CEST 2014

On Fri, 29 Aug 2014 17:42:34 -0400
"R. David Murray" <rdmurray at bitdance.com> wrote:
> Especially if you want an accelerated change, there must be a way to
> *easily* get back to the previous behavior, or we are going to catch a
> lot of flack.  There may be only 7% of public certs that are problematic,
> but I'd be willing to bet you that there are more not-really-public ones
> that are critical to day to day operations *somewhere* :)

Actually, by construction, there are certs which will always fail
verification, for example because they are embedded in telco equipments
which don't have a predefined hostname or IP address.
(I have encountered some of those)



More information about the Python-Dev mailing list