[Python-Dev] PEP476: Enabling certificate validation by default

Christian Heimes christian at python.org
Sun Sep 21 12:57:05 CEST 2014

On 21.09.2014 01:03, Nick Coghlan wrote:
> We may also need some clarification from Ned regarding the status of
> OpenSSL and the potential impact switching from dynamic linking to
> static linking of OpenSSL may have in terms of the
> "OPENSSL_X509_TEA_DISABLE" setting.

You may want to ask Hynek, too. He initially discovered the issue and
made me aware how Apple is tying keychain into OpenSSL. You may find the
code in:


The TEA (Trust Evaluation Agent) switch is global and affects all SSL
context instances. There is non canonical way to set the TEA flag for a
single context or socket.

/* -1: not set
 *  0: set to false
 *  1: set to true
static tea_enabled = -1;

X509_TEA_set_state(int change)
	tea_enabled = (change) ? 1 : 0;

	if (tea_enabled < 0)
		tea_enabled = (NULL == getenv(X509_TEA_ENV_DISABLE));

	return tea_enabled != 0;

More information about the Python-Dev mailing list