[Python-Dev] PEP476: Enabling certificate validation by default
ncoghlan at gmail.com
Sat Sep 20 00:52:32 CEST 2014
On 20 September 2014 08:34, Alex Gaynor <alex.gaynor at gmail.com> wrote:
> Pushed a new version which I believe adresses all of these. I added an
> example of opting-out with urllib.urlopen, let me know if there's any other
> APIs you think I should show an example with.
It would be worth explicitly stating the process global monkeypatching hack:
ssl._create_default_https_context = ssl._create_unverified_context
Adding that hack to sitecustomize allows corporate sysadmins that can
update their standard operating environment more easily than they can
fix invalid certificate infrastructure to work around the problem on
behalf of their users. It also helps out users that will be able to
deal with such broken infrastructure without updating each and every
one of their scripts.
It's deliberately ugly because it's a genuinely bad idea that folks
should want to avoid using, but as a matter of practical reality,
corporate IT departments are chronically understaffed, and often fully
committed to fighting the crisis du jour, without sufficient time
being available for regular infrastructure maintenance tasks.
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Python-Dev