[Python-Dev] PEP476: Enabling certificate validation by default

[Nick Coghlan]

On 21 September 2014 08:22, Guido van Rossum <guido at python.org> wrote:
> Sounds good. Maybe we should put the specifically targeted releases in PEP
> 476?
>
> Nick, do Christian's issues need to be mentioned in the PEP or should we
> just keep those in the corresponding tracker items?

They should be mentioned in the PEP, as they will impact the way the
proposed change interacts with the platform trust database - I didn't
realise the differences on Windows and Mac OS X myself until Christian
mentioned them.

To be completely independent of the system trust database in a
reliable, cross-platform way, folks will need to use a custom SSL
context that doesn't enable the system trust store, rather than
relying on the OpenSSL config options - the latter will reliably *add*
certificates, but they won't reliably ignore the default ones provided
by the system.

We may also need some clarification from Ned regarding the status of
OpenSSL and the potential impact switching from dynamic linking to
static linking of OpenSSL may have in terms of the
"OPENSSL_X509_TEA_DISABLE" setting.

Regards,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia