[Python-Dev] Enable Hostname and Certificate Chain Validation

"Martin v. Löwis" martin at v.loewis.de
Thu Jan 23 13:41:08 CET 2014

Am 23.01.14 07:45, schrieb Scott Dial:
> Anecdotally, I already know of a system at work that is using HTTPS
> purely for encryption, because the authentication is done in-band. So, a
> self-signed cert was wholly sufficient. The management tools use a
> RESTful interface over HTTPS for control, but you are telling me this
> will be broken by default now. What do I tell our developers (who often
> adopt the latest and greatest versions of things to play with)?

If they play with the newest version before actually using it in
production, all is well. You can then tell them that they have
four options:
- not upgrade to the newest Python release (at least not until
  they are willing to pursue any of the other alternatives)
- update the code to disable cert validation, or explicitly
  add the self-signed cert as a trusted one programmatically.
- update the client system configuration, to add the self-signed
  certificate as trusted (system-wide or per user).
- update the server, to use a cert signed by one of the
  trusted CAs.


More information about the Python-Dev mailing list