[Python-Dev] Enable Hostname and Certificate Chain Validation

Christian Heimes christian at python.org
Wed Jan 22 15:07:19 CET 2014

On 22.01.2014 14:24, Nick Coghlan wrote:
> On 22 January 2014 23:19, Antoine Pitrou <solipsis at pitrou.net> wrote:
>> On Wed, 22 Jan 2014 05:30:40 -0500
>> Donald Stufft <donald at stufft.io> wrote:
>>> I would like to propose that a backwards incompatible change be
>>> made to Python to make verification of hostname and certificate
>>> chain the default instead of requiring it to be opt in.
>>> Python 3.4 has made great strides in making it easier for applications
>>> to simply turn on these settings, however many people are not aware
>>> at all that they need to opt into this. Most assume that it will operate
>>> similarly to their browser, curl, wget, etc
>> Python is not a Web client. Are you talking specifically about urllib?
> And all the other client modules that can make secure network
> connections (but don't validate that the certificate matches the
> hostname by default).

With Python 3.4 all stdlib modules can verify the hostname and in fact
do with ssl.create_default_context(). Several modules like ftplib didn't
support SNI and hostname verification.

More information about the Python-Dev mailing list