[Python-Dev] PEP476: Enabling certificate validation by default (original) (raw)

Guido van Rossum guido at python.org
Sun Sep 21 03:53:58 CEST 2014

OK, I'll hold off a bit on approving the PEP, but my intention is to approve it. Go Alex go!

On Sat, Sep 20, 2014 at 4:03 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:

On 21 September 2014 08:22, Guido van Rossum <guido at python.org> wrote: > Sounds good. Maybe we should put the specifically targeted releases in PEP > 476? > > Nick, do Christian's issues need to be mentioned in the PEP or should we > just keep those in the corresponding tracker items?

They should be mentioned in the PEP, as they will impact the way the proposed change interacts with the platform trust database - I didn't realise the differences on Windows and Mac OS X myself until Christian mentioned them. To be completely independent of the system trust database in a reliable, cross-platform way, folks will need to use a custom SSL context that doesn't enable the system trust store, rather than relying on the OpenSSL config options - the latter will reliably add certificates, but they won't reliably ignore the default ones provided by the system. We may also need some clarification from Ned regarding the status of OpenSSL and the potential impact switching from dynamic linking to static linking of OpenSSL may have in terms of the "OPENSSLX509TEADISABLE" setting. Regards, Nick. -- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia

-- --Guido van Rossum (python.org/~guido) -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20140920/fc522906/attachment.html>

More information about the Python-Dev mailing list