[Python-Dev] PEP 476: Enabling certificate validation by default!

Antoine Pitrou antoine at python.org
Sun Aug 31 19:29:38 CEST 2014

Le 31/08/2014 19:03, Paul Moore a écrit :
> On 31 August 2014 17:27, Christian Heimes <christian at python.org> wrote:
>> It's very simple to trust a self-signed certificate: just download it
>> and stuff it into the trust store.
> "Stuff it into the trust store" is the hard bit, though. I have
> honestly no idea how to do that.

You certainly shouldn't do so. If an application has special needs that 
require trusting a self-signed certificate, then it should expose a 
configuration setting to let users specify the cert's location. Stuffing 
self-signed certs into the system trust store is really a measure of 
last resort.

There's another case which isn't solved by this, though, which is when a 
cert is invalid. The common situation being that it has expired 
(renewing certs is a PITA and therefore expired certs are more common 
than it sounds they should be). In this case, there is no way to 
whitelist it: you have to disable certificate checking altogether. This 
can be exposed by the application as configuration option if necessary, 
as well.



More information about the Python-Dev mailing list