[Python-Dev] PEP 476: Enabling certificate validation by default! (original) (raw)
Barry Warsaw barry at python.org
Sat Aug 30 18:42:12 CEST 2014
- Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Aug 30, 2014, at 12:19 PM, M.-A. Lemburg wrote:
The reasoning here is the same as for hash randomization. There are cases where you want to test your application using self-signed certificates which don't validate against the system CA root list.
In those cases, you do know what you're doing. The test would fail otherwise and the reason is not a bug in your code, it's just the fact that the environment you're running it in is a test environment.
Exactly. I have test cases where I have to load up a self-signed cert via .load_cert_chain() and in the good-path tests, I expect to make successful https connections. I also have test cases that expect to fail when:
- I load bogus self-signed certs
- I have an http server masquerading as an https server
- I load an expired self-signed cert
It certainly makes sense for the default to be the most secure, but other use cases must be preserved.
Cheers, -Barry
- Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]