[Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance) (original) (raw)

Barry Warsaw barry at python.org
Wed Nov 25 14:57:14 EST 2015

There's a lot to process in this thread, but as I see it, the issue breaks down to these questions:

Let me take on the implementation details here.

On Nov 24, 2015, at 04:04 PM, M.-A. Lemburg wrote:

I would still find having built-in support for the recommendations in the Python stdlib a better approach

As would I.

Currently the PEP contains some sample code for reading a configuration file and an environment variable, and assigning the default behavior based on these values.

The first improvement to the stdlib I would have made would have been to add a convenience function to ssl to enable and disable the verification. Something like this:

def ssl.verify_certificates(enable)

Then at the simplest level, an application that wants to enable higher security could do this early in its main entry point:

import ssl
if hasattr(ssl, 'verify_certificates'):
    ssl.verify_certificates(True)

or

...
    ssl.verify_certificates(False)

and that would work regardless of the platform default, and it would work properly on older versions of Python 2.7 that didn't have the backport. This seems so straightforward, I'm wondering why PEP 493 doesn't consider it.

I would like to see the sample code in PEP 493 implemented in the stdlib. It would then be a matter of cherry picking that should a distro decide to backport it. It means one less non-trivial delta from upstream which has to be managed separately. The only difference to the combined approach I'd make is to handle the case where the _cert_verification_config file doesn't exist.

(If you included the convenience method above, then the sample code could be simplified down to a default for the enable parameter and a call to ssl.verify_certificates().)

Is it too late to include both of those suggestions in PEP 493 and Python 2.7.11?

Cheers, -Barry

More information about the Python-Dev mailing list