[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
R. David Murray
rdmurray at bitdance.com
Mon Jun 3 11:28:51 CEST 2013
More information about the Python-Dev mailing list
Mon Jun 3 11:28:51 CEST 2013
- Previous message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Next message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 03 Jun 2013 19:38:45 +1200, Ben Hoyt <benhoyt at gmail.com> wrote: > Love this idea. Some third-party HTTP libraries turn this on by > default in any case (eg: requests, and I think others), so this would > mean Python would get their "safe-by-default" behaviour in its stdlib. > > > > Ideally this would take the shape of attempting to locate the system > > > certificate store if possible, and if that doesn't work falling back to the > > > bundled certificates. That way the various Linux distros can easily have > > > their copies of Python depend soley on their built in certs, but Windows, > > > OSX, Source compiles etc will all still have a fallback value. > > > > My preference would be actually be for the included certificates file > > to be used by default. This would provide a consistent experience > > across platforms. We could provide options to look for system cert > > repositories if desired. > > Very much agreed. When the Windows version of the mimetypes module > tried to use Windows' system mimetype mappings by default, chaos and > bugs ensued (for example, http://bugs.python.org/issue15207 and > http://bugs.python.org/issue10551). On the other hand, the fact that it uses /etc/mimetypes on unix does *not* cause chaos, quite the opposite: it means Python recognizes new mime types provided by the distro automatically, which provides for a more consistent experience for the Python application user. The situation for certs is probably fairly parallel: on unix, it would probably be an advantage as Python would automatically follow distro decisions about cert chains, while on windows trying to use a system cert store would probably be a disaster. An application can choose to explicitly ignore the system mimetypes file, by the way. That said, I don't feel strongly either way about the cert store case. --David
- Previous message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Next message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-Dev mailing list