[Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance) (original) (raw)

Cory Benfield cory at lukasa.co.uk
Fri Nov 27 03:47:17 EST 2015

• Previous message (by thread): [Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance)
• Next message (by thread): [Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 27 Nov 2015, at 06:04, Nick Coghlan <ncoghlan at gmail.com> wrote:

Feature: Configuration API ========================== This change is proposed for inclusion in CPython 2.7.12 and later CPython 2.7.x releases. It consists of a new ssl.verifyhttpscertificates() to specify the default handling of HTTPS certificates in standard library client libraries. It is not proposed to forward port this change to Python 3, so Python 3 applications that need to support skipping certificate verification will still need to define their own suitable security context. Feature detection ----------------- The marker attribute on the ssl module related to this feature is the ssl.verifyhttpscertificates function itself. Specification ------------- The ssl.verifyhttpscertificates function will work as follows:: def verifyhttpscertificates(enable=True): """Verify server HTTPS certificates by default?""" global createdefaulthttpscontext if enable: createdefaulthttpscontext = createdefaultcontext else: createdefaulthttpscontext = createunverifiedcontext If called without arguments, or with enable set to a true value, then standard library client modules will subsequently verify HTTPS certificates by default, otherwise they will skip verification.

Perhaps I missed this, Nick, but what happens if multiple third party libraries apply updates to call this function in incompatible ways? For example, if you depend on libfoo which calls ssl._verify_https_certificates(False) and libbar which calls ssl._verify_https_certificates(True)? Is it…last import wins? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://mail.python.org/pipermail/python-dev/attachments/20151127/2b7da067/attachment.sig>

• Previous message (by thread): [Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance)
• Next message (by thread): [Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list