[Python-Dev] PEP 476: Enabling certificate validation by default!

Antoine Pitrou solipsis at pitrou.net
Tue Sep 2 23:32:08 CEST 2014

On Tue, 2 Sep 2014 14:00:02 -0700
Glyph Lefkowitz <glyph at twistedmatrix.com> wrote:
> I would strongly recommend against such a mechanism.
> For what it's worth, Twisted simply unconditionally started verifying certificates in 14.0 with no "disable" switch, and (to my knowledge) literally no users have complained.

And how many people are using Twisted as an HTTPS client?
(compared to e.g. Python's httplib, and all the third-party libraries
building on it?)

> Furthermore, "disable verification" is a nonsensical thing to do with TLS.

It's not. For example, if you have an expired cert, all you can do
AFAIK is to disable verification.



More information about the Python-Dev mailing list