[Python-Dev] PEP 476: Enabling certificate validation by default!

Antoine Pitrou solipsis at pitrou.net
Sat Aug 30 12:55:54 CEST 2014

On Sat, 30 Aug 2014 12:46:47 +0200
"M.-A. Lemburg" <mal at egenix.com> wrote:
> The change is to the OpenSSL API, not the OpenSSL lib. By setting
> the variable you enable a few special calls to the config loader
> functions in OpenSSL when calling the initializer it:
> https://www.openssl.org/docs/crypto/OPENSSL_config.html

Ah, ok. Do you have experience with openssl.cnf? Apparently, it is
meant for offline tools such as certificate generation, I am not sure
how it could impact certification validation.

> > That use case should be served with the SSL_CERT_DIR and SSL_CERT_FILE
> > env vars (or, better, by specific settings *inside* the application).
> > 
> > I'm against multiplying environment variables, as it makes it more
> > difficult to assess the actual security of a setting. The danger of an
> > ill-secure setting is much more severe than with hash randomization.
> You have a point there. So how about just a python run-time switch
> and no env var ?

Well, why not, but does it have a value over letting the code properly
configure their SSLContext?



More information about the Python-Dev mailing list