[Python-Dev] PEP 476: Enabling certificate validation by default!

Christian Heimes christian at python.org
Sun Aug 31 18:27:48 CEST 2014


On 31.08.2014 16:16, R. David Murray wrote:
> Self -signed certificates are not crazy in an internal corporate
> environment even when properly playing the defense in depth game.  Once
> you've acked the cert the first time, you will be warned if it changes
> (like an ssh host key).  Sure, as Nick says the corp could set up an
> internal signing authority and make sure everyone has their CA...and
> they *should*...but realistically, that is probably relatively rare at
> the moment, because it is not particularly easy to accomplish
> (distributing the CA everywhere it needs to go is still a Hard Problem,
> though it has gotten a lot better).

It's very simple to trust a self-signed certificate: just download it
and stuff it into the trust store. That's all. A self-signed certificate
acts as its own root CA (so to speak). But there is a downside, too. The
certificate is trusted for any and all connections. Python's SSL module
has no way to trust a specific certificate for a host.

Christian


More information about the Python-Dev mailing list