[Python-Dev] Issues in Python TLS (original) (raw)
Nick Coghlan ncoghlan at gmail.com
Wed Aug 17 12:15:03 EDT 2016
- Previous message (by thread): [Python-Dev] Issues in Python TLS
- Next message (by thread): [Python-Dev] Reminder: 3.6.0a4 snapshot 2016-08-15 12:00 UTC
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 14 August 2016 at 09:14, Benjamin Peterson <benjamin at python.org> wrote:
Correctness of TLS certificate verification is known to depend deeply on distribution. Python began to verify certificates by default only in in version 2.7.9. Many OS distributions (in particular, Ubuntu) did not enable verification for their stable distributions for backwards compatibility reasons. You might find looking at distro bugs for CVE-2014-9365 edifying.
For RHEL (and hence CentOS), https://access.redhat.com/articles/2039753 summarises the current status.
Since the system Python in RHEL 7.x is nominally Python 2.7.5, the default behaviour reflects that. However, both PEP 466 and PEP 476 have been backported (as of RHEL 7.2 and the corresponding CentOS release), so requests picks up the new capabilities implicitly, while the standard library can be configured for default verification by writing:
[https] verify=enable
to /etc/python/cert-verification.cfg
Since folks are now able to force verification off via that same configuration file mechanism, we've also reserved the right to eventually change the default Python standard library behaviour on a fresh RHEL 7 installation to be to verify certificates.
Cheers, Nick.
-- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
- Previous message (by thread): [Python-Dev] Issues in Python TLS
- Next message (by thread): [Python-Dev] Reminder: 3.6.0a4 snapshot 2016-08-15 12:00 UTC
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]