[Python-Dev] PEP 476: Enabling certificate validation by default!

Cory Benfield cory at lukasa.co.uk
Wed Sep 3 10:26:44 CEST 2014

On 3 September 2014 01:19, Antoine Pitrou <solipsis at pitrou.net> wrote:
> Keeping saying it doesn't make it magically true.

Sure, but it *is* true, at the very least for HTTP.

RFC 2818 (HTTP over TLS) has the following language in section 3.1:

> If the hostname is available, the client MUST check it against the
> server's identity as presented in the server's Certificate message,
> in order to prevent man-in-the-middle attacks.
> If the client has external information as to the expected identity of
> the server, the hostname check MAY be omitted.

The default behaviour of httplib is in contravention of the normative
language of this specification and is therefore bugged. (For those
unclear about the relevance of RFC 2818, it's normatively referenced
by RFC 7230, which is the HTTP/1.1 spec.)

This should silence the debate about whether or not httplib's
behaviour is a bug or not.

> Besides, it can perfectly well be a bug fix *as well as* a break in
> backwards compatibility.

This is definitely true, and this change is both. The only question
that matters is whether we believe we're doing users a service by
breaking their code. I'd argue, along with Glyph, Alex and Donald,
that we are. I've been on the losing side of this debate a number of
times though, and I expect I will be again.

More information about the Python-Dev mailing list