[Python-Dev] Enable Hostname and Certificate Chain Validation
donald at stufft.io
Wed Jan 22 15:33:18 CET 2014
On Jan 22, 2014, at 9:28 AM, Paul Moore <p.f.moore at gmail.com> wrote:
> On 22 January 2014 13:29, Christian Heimes <christian at python.org> wrote:
>> Side note:
>> Users can simple add self-signed certs to OpenSSL's cert store and get
>> validation for free. It's possible to do that with an environment
>> variable, too. But I recommend against the environment variable because
>> you may overwrite to operating store.
> I'm pretty sure what I'm about to ask isn't what you mean, but take it
> as an example of how people may misunderstand and/or misinterpret
> comments in this area ;-)
> So if I set up a PyPI mirror running under https, with a self-signed
> certificate, can you explain how I get it to work? For "work", assume
> I mean pip will use it, I can browse to it with my web browser, and my
> various Python scripts (now running under Python 3.5 with SSL
> verification on by default) that query the index all work without
> needing extra flags, code changes, or interactive prompts.
> I'm on Windows, by the way, just for added fun.
For everything but pip, you’d add it to your OS cert store. Pip doesn’t
use that so you’d have to use the —cert config.
> (This is a one of the real-world reasons I've never set up a local
> https index - not a big one, laziness trumps it by miles :-) as does
> the effectiveness of simpler solutions - but it's there. I did think
> about it at one stage. If I *were* to set up an index, it's definitely
> why I'd use http rather than bothering with https.)
> Python-Dev mailing list
> Python-Dev at python.org
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Python-Dev