[Python-Dev] Enable Hostname and Certificate Chain Validation

Stephen J. Turnbull stephen at xemacs.org
Thu Jan 23 09:37:06 CET 2014

Cory Benfield writes:

 > I'm overwhelmingly, dramatically +1 on this. There's no good
 > architectural reason to not use the built-in certificate chains by
 > default. I'd like to be in favour of backporting this change to earlier
 > Python versions as well, but it feels just a bit too aggressive.

-1  This is just a bit too aggressive, too.

I'll guarantee this breaks applications all over Japan, especially in
universities because the Ministry of Education uses certificates
rooted somewhere nobody's ever heard of, and typically don't bother to
ensure the domain name matches the cert being presented.  I've even
run into such domain-match issues with banks (not banks I deal with
any more, of course!)

This is quite different from web browsers and other interactive
applications.  It has the potential to break "secure" mail and news
and other automatic data transfers.  Breaking people's software that
should run silently in the background just because they upgrade Python
shouldn't happen, and people here will blame Python, not their broken
websites and network apps.

I don't know what the right answer is, but this needs careful
discussion and amelioration, not just "you're broken, so take the

More information about the Python-Dev mailing list