[Python-Dev] PEP 476: Enabling certificate validation by default!
R. David Murray
rdmurray at bitdance.com
Sun Aug 31 04:21:49 CEST 2014
On Sun, 31 Aug 2014 03:25:25 +0200, Antoine Pitrou <solipsis at pitrou.net> wrote:
> On Sun, 31 Aug 2014 09:26:30 +1000
> Nick Coghlan <ncoghlan at gmail.com> wrote:
> > >>
> > >> * configuration:
> > >>
> > >> It would be good to be able to switch this on or off
> > >> without having to change the code, e.g. via a command
> > >> line switch and environment variable; perhaps even
> > >> controlling whether or not to raise an exception or
> > >> warning.
> > >>
> > >> * choice of trusted certificate:
> > >>
> > >> Instead of hard wiring using the system CA roots into
> > >> Python it would be good to just make this default and
> > >> permit the user to point Python to a different set of
> > >> CA roots.
> > >>
> > >> This would enable using self signed certs more easily.
> > >> Since these are often used for tests, demos and education,
> > >> I think it's important to allow having more control of
> > >> the trusted certs.
> > >
> > >
> > > +1 for PEP with above changes.
> >
> > Ditto from me.
> >
> > In relation to changing the Python CLI API to offer some of the wget/curl
> > style command line options, I like the idea of providing recipes in the
> > docs for implementing them at the application layer, but postponing making
> > the *default* behaviour configurable that way.
>
> I'm against any additional environment variables and command-line
> options. It will only complicate and obscure the security parameters of
> certificate validation.
>
> The existing knobs have already been mentioned in this thread, I won't
> mention them here again.
Do those knobs allow one to instruct urllib to accept an invalid
certificate without changing the program code?
--David
More information about the Python-Dev
mailing list