[Python-Dev] PEP 476: Enabling certificate validation by default!

Christian Heimes christian at python.org
Wed Sep 3 21:26:32 CEST 2014

On 03.09.2014 19:54, Guido van Rossum wrote:
> Let's take the plunge on this issue for the next 2.7 release (3.5 being
> a done deal). Yes, some people will find that they have an old script
> accessing an old service which breaks. Surely some of the other changes
> in the same 2.7 bugfix release will also break some other scripts.
> People deal with it. Probably 90% of the time it's an annoyance (but no
> worse than any other minor-release upgrade -- you should test upgrades
> before committing to them, and if all else fails, roll it back). But at
> least some of the time it will be a wake-up call and an expired
> certificate will be replaced, resulting in more security for all.

I'm +1 for Python 3.5 but -1 for Python 2.7.

The SSLContext backport will landed in Python 2.7.9 (to be released). No
Python 2 user is familiar with the feature yet. But more importantly:
None of the stdlib modules support the new feature, too. httplib,
imaplib ... they all don't take a SSLContext object as an argument.
PEP-466 does not include the backport for the network modules. Without
the context argument there is simply no clean way to configure the SSL
handshake properly.

The default settings must stay until we decide to backport the context
argument and have a way to configure the default behavior. Nick and me
are planing a PEP.


More information about the Python-Dev mailing list