[Python-Dev] Enable Hostname and Certificate Chain Validation (original) (raw)
Stephen J. Turnbull stephen at xemacs.org
Thu Jan 23 09:37:06 CET 2014
- Previous message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Next message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Cory Benfield writes:
I'm overwhelmingly, dramatically +1 on this. There's no good architectural reason to not use the built-in certificate chains by default. I'd like to be in favour of backporting this change to earlier Python versions as well, but it feels just a bit too aggressive.
-1 This is just a bit too aggressive, too.
I'll guarantee this breaks applications all over Japan, especially in universities because the Ministry of Education uses certificates rooted somewhere nobody's ever heard of, and typically don't bother to ensure the domain name matches the cert being presented. I've even run into such domain-match issues with banks (not banks I deal with any more, of course!)
This is quite different from web browsers and other interactive applications. It has the potential to break "secure" mail and news and other automatic data transfers. Breaking people's software that should run silently in the background just because they upgrade Python shouldn't happen, and people here will blame Python, not their broken websites and network apps.
I don't know what the right answer is, but this needs careful discussion and amelioration, not just "you're broken, so take the consequences!"
- Previous message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Next message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]