[Python-Dev] Enable Hostname and Certificate Chain Validation

Christian Heimes christian at python.org
Wed Jan 22 14:29:04 CET 2014


On 22.01.2014 12:45, Nick Coghlan wrote:
> We also have to account for the fact that an awful lot of Python
> applications are corporate ones relying on perimeter defence for
> security, or private CAs, or just self-signed certificates that their
> users have already accepted. There are limits to the amount of
> backwards incompatible change users will tolerate, and at this point
> in time we're still trying to get people to accept proper Unicode
> support.

Side note:
Users can simple add self-signed certs to OpenSSL's cert store and get
validation for free. It's possible to do that with an environment
variable, too. But I recommend against the environment variable because
you may overwrite to operating store.

Christian




More information about the Python-Dev mailing list