[Python-Dev] PEP476: Enabling certificate validation by default

Nick Coghlan ncoghlan at gmail.com
Sat Sep 20 00:52:32 CEST 2014

On 20 September 2014 08:34, Alex Gaynor <alex.gaynor at gmail.com> wrote:
> Pushed a new version which I believe adresses all of these. I added an
> example of opting-out with urllib.urlopen, let me know if there's any other
> APIs you think I should show an example with.

It would be worth explicitly stating the process global monkeypatching hack:

    import ssl
    ssl._create_default_https_context = ssl._create_unverified_context

Adding that hack to sitecustomize allows corporate sysadmins that can
update their standard operating environment more easily than they can
fix invalid certificate infrastructure to work around the problem on
behalf of their users. It also helps out users that will be able to
deal with such broken infrastructure without updating each and every
one of their scripts.

It's deliberately ugly because it's a genuinely bad idea that folks
should want to avoid using, but as a matter of practical reality,
corporate IT departments are chronically understaffed, and often fully
committed to fighting the crisis du jour, without sufficient time
being available for regular infrastructure maintenance tasks.


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-Dev mailing list