[Python-Dev] Enable Hostname and Certificate Chain Validation (original) (raw)

Christian Heimes christian at python.org
Wed Jan 22 15:07:19 CET 2014

• Previous message: [Python-Dev] Enable Hostname and Certificate Chain Validation
• Next message: [Python-Dev] Wrong keyword parameter name in regex pattern methods
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 22.01.2014 14:24, Nick Coghlan wrote:

On 22 January 2014 23:19, Antoine Pitrou <solipsis at pitrou.net> wrote:

On Wed, 22 Jan 2014 05:30:40 -0500 Donald Stufft <donald at stufft.io> wrote:

I would like to propose that a backwards incompatible change be made to Python to make verification of hostname and certificate chain the default instead of requiring it to be opt in.

Python 3.4 has made great strides in making it easier for applications to simply turn on these settings, however many people are not aware at all that they need to opt into this. Most assume that it will operate similarly to their browser, curl, wget, etc Python is not a Web client. Are you talking specifically about urllib? And all the other client modules that can make secure network connections (but don't validate that the certificate matches the hostname by default).

With Python 3.4 all stdlib modules can verify the hostname and in fact do with ssl.create_default_context(). Several modules like ftplib didn't support SNI and hostname verification.

• Previous message: [Python-Dev] Enable Hostname and Certificate Chain Validation
• Next message: [Python-Dev] Wrong keyword parameter name in regex pattern methods
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list