[Python-Dev] PEP 476: Enabling certificate validation by default!

M.-A. Lemburg mal at egenix.com
Sat Aug 30 16:20:22 CEST 2014

On 30.08.2014 15:32, R. David Murray wrote:
> On Sat, 30 Aug 2014 14:03:57 +0200, "M.-A. Lemburg" <mal at egenix.com> wrote:
>> On 30.08.2014 12:55, Antoine Pitrou wrote:
>>> On Sat, 30 Aug 2014 12:46:47 +0200
>>> "M.-A. Lemburg" <mal at egenix.com> wrote:
>>>>> That use case should be served with the SSL_CERT_DIR and SSL_CERT_FILE
>>>>> env vars (or, better, by specific settings *inside* the application).
>>>>> I'm against multiplying environment variables, as it makes it more
>>>>> difficult to assess the actual security of a setting. The danger of an
>>>>> ill-secure setting is much more severe than with hash randomization.
>>>> You have a point there. So how about just a python run-time switch
>>>> and no env var ?
>>> Well, why not, but does it have a value over letting the code properly
>>> configure their SSLContext?
>> Yes, because when Python changes the default to be validating
>> and more secure, application developers will do the same as
>> they do now: simply use the defaults ;-)
> But neither of those addresses the articulated use case: someone *using*
> a program implemented in python that does not itself provide a way to
> disable the new default security (because it is *new*).  Only an
> environment variable will do that.
> Since the environment variable is opt-in, I think the "consenting
> adults" argument applies to Alex's demure about "multiple connections".
> It could still emit the warnings.

That would be a possibility as well, yes.

I'd just like to see a way to say: I know what I'm doing
and I'm not in the mood to configure my own CA list, so
please go ahead and accept whatever certs you find --
much like what --no-check-certificate does for wget.

Marc-Andre Lemburg

Professional Python Services directly from the Source  (#1, Aug 30 2014)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
2014-08-27: Released eGenix PyRun 2.0.1 ...       http://egenix.com/go62
2014-09-19: PyCon UK 2014, Coventry, UK ...                20 days to go
2014-09-27: PyDDF Sprint 2014 ...                          28 days to go

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Python-Dev mailing list