[Python-Dev] PEP 476: Enabling certificate validation by default! (original) (raw)

Antoine Pitrou solipsis at pitrou.net
Tue Sep 2 23:32:08 CEST 2014

• Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
• Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2 Sep 2014 14:00:02 -0700 Glyph Lefkowitz <glyph at twistedmatrix.com> wrote:

I would strongly recommend against such a mechanism. For what it's worth, Twisted simply unconditionally started verifying certificates in 14.0 with no "disable" switch, and (to my knowledge) literally no users have complained.

And how many people are using Twisted as an HTTPS client? (compared to e.g. Python's httplib, and all the third-party libraries building on it?)

Furthermore, "disable verification" is a nonsensical thing to do with TLS.

It's not. For example, if you have an expired cert, all you can do AFAIK is to disable verification.

Regards

Antoine.

• Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
• Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list