[Python-Dev] PEP 476: Enabling certificate validation by default! (original) (raw)
Antoine Pitrou antoine at python.org
Sun Aug 31 23:53:14 CEST 2014
- Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Le 31/08/2014 23:41, Nick Coghlan a écrit :
Right, this is why I came to the conclusion we need to follow the browser vendors lead here and support a per-user Python specific supplementary certificate cache before we can start validating certs by default at the Python level. There are still too many failure modes for cert management on private networks for us to safely ignore the use case of needing to force connections to services with invalid certs.
We are not ignoring that use case. The proper solution is simply to disable cert validation in the application code (or, for more sophisticated needs, provide an application configuration setting for cert validation).
In the meantime, we can update the security considerations for the ssl module to make it clearer that the defaults are set up for trusted networks and that using it safely on the public internet may mean you're better off with a third party library like requests or Twisted.
No, you simply have to select the proper validation settings.
Regards
Antoine.
- Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]