[Python-Dev] Enable Hostname and Certificate Chain Validation

Donald Stufft donald at stufft.io
Wed Jan 22 15:25:25 CET 2014

On Jan 22, 2014, at 9:19 AM, Paul Moore <p.f.moore at gmail.com> wrote:

> On 22 January 2014 13:55, Donald Stufft <donald at stufft.io> wrote:
>> As an additional side note, anecdotal evidence and what not, but
>> *every* time I bring this up somewhere I get at least one reply that
>> looks similar to https://twitter.com/ojiidotch/status/425986619879866368
> Surprise that Python doesn't verify certs is one thing. I would also
> like to live in a world where Python has always verified certs, and
> all the issues have already been resolved. Imposing breakage on end
> users because we haven't managed to persuade application developers to
> do the right thing yet (even though it appears we've made it
> one-line-of-code easy to do so) is another thing entirely.

Note: That it requires users to even be aware they *need* to do that
one line of code, which many are not.

> But the deprecation cycle gives application developers time (and a
> deadline) so I'm happy with that.

Awesome, It looks like I’ll be writing a PEP to handle this, I wasn’t
sure if it needed one or not.

> Although from MAL's original comment:
>> Note that several python.org services use CAcerts which would no
>> longer be accessible per default following such a change.
> ,The PSF needs to get that sorted before making cert validation the
> default in Python, IMO.

I’m not aware of which services those are, if MAL (or anyone else)
can point them out I’ll see what I can do to make that happen.

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140122/196c6d82/attachment.sig>

More information about the Python-Dev mailing list