[Python-Dev] RFC: Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7

Chris Angelico rosuav at gmail.com
Thu Jun 1 06:05:48 EDT 2017


On Thu, Jun 1, 2017 at 8:01 PM, Antoine Pitrou <solipsis at pitrou.net> wrote:
> On Thu, 1 Jun 2017 19:50:22 +1000
> Chris Angelico <rosuav at gmail.com> wrote:
>> On Thu, Jun 1, 2017 at 7:23 PM, Antoine Pitrou <antoine at python.org> wrote:
>> >> Do you also disagree on the need of the need of the PEP 546
>> >> (backport) to make the PEP 543 (new TLS API) feasible in practice?
>> >
>> > Yes, I disagree.  We needn't backport that new API to Python 2.7.
>> > Perhaps it's time to be reasonable: Python 2.7 has been in bugfix-only
>> > mode for a very long time.  Python 3.6 is out.  We should move on.
>>
>> But it is in *security fix* mode for at least another three years
>> (ish). Proper use of TLS certificates is a security question.
>
> Why are you bringing "proper use of TLS certificates"?  Python 2.7
> doesn't need another backport for that.  The certifi package is
> available for Python 2.7 and can be integrated simply with the existing
> ssl module.

As stated in this thread, OS-provided certificates are not handled by
that. For instance, if a local administrator distributes a self-signed
cert for the intranet server, web browsers will use it, but pip will
not.

ChrisA


More information about the Python-Dev mailing list