[Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance)
Cory Benfield
cory at lukasa.co.uk
Fri Nov 27 03:47:17 EST 2015
> On 27 Nov 2015, at 06:04, Nick Coghlan <ncoghlan at gmail.com> wrote:
>
> Feature: Configuration API
> ==========================
>
> This change is proposed for inclusion in CPython 2.7.12 and later CPython 2.7.x
> releases. It consists of a new ``ssl._verify_https_certificates()`` to specify
> the default handling of HTTPS certificates in standard library client libraries.
>
> It is not proposed to forward port this change to Python 3, so Python 3
> applications that need to support skipping certificate verification will still
> need to define their own suitable security context.
>
> Feature detection
> -----------------
>
> The marker attribute on the ``ssl`` module related to this feature is the
> ``ssl._verify_https_certificates`` function itself.
>
> Specification
> -------------
>
> The ``ssl._verify_https_certificates`` function will work as follows::
>
> def _verify_https_certificates(enable=True):
> """Verify server HTTPS certificates by default?"""
> global _create_default_https_context
> if enable:
> _create_default_https_context = create_default_context
> else:
> _create_default_https_context = _create_unverified_context
>
> If called without arguments, or with ``enable`` set to a true value, then
> standard library client modules will subsequently verify HTTPS
> certificates by default, otherwise they will skip verification.
Perhaps I missed this, Nick, but what happens if multiple third party libraries apply updates to call this function in incompatible ways? For example, if you depend on libfoo which calls ssl._verify_https_certificates(False) and libbar which calls ssl._verify_https_certificates(True)? Is it…last import wins?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20151127/2b7da067/attachment.sig>
More information about the Python-Dev
mailing list