[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython) (original) (raw)

Benjamin Peterson benjamin at python.org
Mon Jun 3 09:14:39 CEST 2013

2013/6/3 Donald Stufft <donald at stufft.io>:

On Jun 3, 2013, at 1:58 AM, Benjamin Peterson <benjamin at python.org> wrote: 2013/6/2 Donald Stufft <donald at stufft.io>: As of right now, as far as I can tell, Python does not validate HTTPS certificates by default. As far as I can tell this is because there is no guaranteed certificates available. So I would like to propose that CPython adopt the Mozilla SSL certificate list and include it in core, and switch over the API's so that they verify HTTPS by default.

+1 Ideally this would take the shape of attempting to locate the system certificate store if possible, and if that doesn't work falling back to the bundled certificates. That way the various Linux distros can easily have their copies of Python depend soley on their built in certs, but Windows, OSX, Source compiles etc will all still have a fallback value. My preference would be actually be for the included certificates file to be used by default. This would provide a consistent experience across platforms. We could provide options to look for system cert repositories if desired. That's fine with me too. My only reason for wanting to use the system certs first is so if someone has modified their system certs (say to include a corporate cert) that it would ideally take affect for Python as well.

I don't think users should be able to modify stdlib behaviors (in this case could be unintentionally) without application consent.

But honestly the Linux distros will probably modify things to use system certs anyways and non Linux (esp Windows) probably doesn't have a way to get those system certs into OpenSSL.

Yes, I'm happy to let them figure it out.

-- Regards, Benjamin

More information about the Python-Dev mailing list