[Python-Dev] Issues in Python TLS
Nick Coghlan
ncoghlan at gmail.com
Wed Aug 17 12:15:03 EDT 2016
On 14 August 2016 at 09:14, Benjamin Peterson <benjamin at python.org> wrote:
> Correctness of TLS certificate verification is known to depend deeply on
> distribution. Python began to verify certificates by default only in in
> version 2.7.9. Many OS distributions (in particular, Ubuntu) did not
> enable verification for their stable distributions for backwards
> compatibility reasons. You might find looking at distro bugs for
> CVE-2014-9365 edifying.
For RHEL (and hence CentOS),
https://access.redhat.com/articles/2039753 summarises the current
status.
Since the system Python in RHEL 7.x is nominally Python 2.7.5, the
default behaviour reflects that. However, both PEP 466 and PEP 476
have been backported (as of RHEL 7.2 and the corresponding CentOS
release), so requests picks up the new capabilities implicitly, while
the standard library can be configured for default verification by
writing:
[https]
verify=enable
to /etc/python/cert-verification.cfg
Since folks are now able to force verification *off* via that same
configuration file mechanism, we've also reserved the right to
eventually change the default Python standard library behaviour on a
fresh RHEL 7 installation to be to verify certificates.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Python-Dev
mailing list