[Python-Dev] PEP476: Enabling certificate validation by default

Guido van Rossum guido at python.org
Sun Sep 21 03:53:58 CEST 2014

OK, I'll hold off a bit on approving the PEP, but my intention is to
approve it. Go Alex go!

On Sat, Sep 20, 2014 at 4:03 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:

> On 21 September 2014 08:22, Guido van Rossum <guido at python.org> wrote:
> > Sounds good. Maybe we should put the specifically targeted releases in
> > 476?
> >
> > Nick, do Christian's issues need to be mentioned in the PEP or should we
> > just keep those in the corresponding tracker items?
> They should be mentioned in the PEP, as they will impact the way the
> proposed change interacts with the platform trust database - I didn't
> realise the differences on Windows and Mac OS X myself until Christian
> mentioned them.
> To be completely independent of the system trust database in a
> reliable, cross-platform way, folks will need to use a custom SSL
> context that doesn't enable the system trust store, rather than
> relying on the OpenSSL config options - the latter will reliably *add*
> certificates, but they won't reliably ignore the default ones provided
> by the system.
> We may also need some clarification from Ned regarding the status of
> OpenSSL and the potential impact switching from dynamic linking to
> static linking of OpenSSL may have in terms of the
> "OPENSSL_X509_TEA_DISABLE" setting.
> Regards,
> Nick.
> --
> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

--Guido van Rossum (python.org/~guido)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140920/fc522906/attachment.html>

More information about the Python-Dev mailing list