[Python-Dev] PEP 476: Enabling certificate validation by default!

Guido van Rossum guido at python.org
Wed Sep 3 21:37:24 CEST 2014

OK, that changes my position for 2.7 (but not for 3.5). I had assumed there
was a way to disable the cert check by changing one parameter to the
urlopen() call. (And I had wanted to add that there should be a clear FAQ
about the subject.) If this isn't possible that changes the situation. (But
I still think that once we do have that simple change option we should do
it, in a later 2.7 upgrade.)

I apologize for speaking before I had read all facts, and I'll await what
you and Nick come up with.


On Wed, Sep 3, 2014 at 12:26 PM, Christian Heimes <christian at python.org>

> On 03.09.2014 19:54, Guido van Rossum wrote:
> > Let's take the plunge on this issue for the next 2.7 release (3.5 being
> > a done deal). Yes, some people will find that they have an old script
> > accessing an old service which breaks. Surely some of the other changes
> > in the same 2.7 bugfix release will also break some other scripts.
> > People deal with it. Probably 90% of the time it's an annoyance (but no
> > worse than any other minor-release upgrade -- you should test upgrades
> > before committing to them, and if all else fails, roll it back). But at
> > least some of the time it will be a wake-up call and an expired
> > certificate will be replaced, resulting in more security for all.
> I'm +1 for Python 3.5 but -1 for Python 2.7.
> The SSLContext backport will landed in Python 2.7.9 (to be released). No
> Python 2 user is familiar with the feature yet. But more importantly:
> None of the stdlib modules support the new feature, too. httplib,
> imaplib ... they all don't take a SSLContext object as an argument.
> PEP-466 does not include the backport for the network modules. Without
> the context argument there is simply no clean way to configure the SSL
> handshake properly.
> The default settings must stay until we decide to backport the context
> argument and have a way to configure the default behavior. Nick and me
> are planing a PEP.
> Christian

--Guido van Rossum (python.org/~guido)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140903/beec53b3/attachment-0001.html>

More information about the Python-Dev mailing list