[Python-Dev] PEP 476: Enabling certificate validation by default! (original) (raw)
R. David Murray rdmurray at bitdance.com
Fri Aug 29 23:42:34 CEST 2014
- Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, 29 Aug 2014 17:11:35 -0400, Donald Stufft <donald at stufft.io> wrote:
Sorry I was on my phone and didn’t get to fully reply to this. > On Aug 29, 2014, at 4:00 PM, M.-A. Lemburg <mal at egenix.com> wrote: > > * configuration: > > It would be good to be able to switch this on or off > without having to change the code, e.g. via a command > line switch and environment variable; perhaps even > controlling whether or not to raise an exception or > warning.
I’m on the fence about this, if someone provides a certificate that we can validate against (which can be done without touching the code) then the only thing that really can’t be “fixed†without touching the code is if someone has a certificate that is otherwise invalid (expired, not yet valid, wrong hostname, etc). I’d say if I was voting on this particular thing I’d be -0, I’d rather it didn’t exist but I wouldn’t cry too much if it did.
Especially if you want an accelerated change, there must be a way to easily get back to the previous behavior, or we are going to catch a lot of flack. There may be only 7% of public certs that are problematic, but I'd be willing to bet you that there are more not-really-public ones that are critical to day to day operations somewhere :)
wget and curl have 'ignore validation' as a command line flag for a reason.
--David
- Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]