[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
Chris Angelico
rosuav at gmail.com
Mon Jun 3 22:05:01 CEST 2013
More information about the Python-Dev mailing list
Mon Jun 3 22:05:01 CEST 2013
- Previous message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Next message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Jun 4, 2013 at 4:56 AM, Ethan Furman <ethan at stoneleaf.us> wrote: > On 06/03/2013 11:34 AM, Antoine Pitrou wrote: >> >> On Mon, 3 Jun 2013 14:12:34 -0400 >> Donald Stufft wrote: >>> >>> >>> I worry with the current situation people will just use TLS connections >>> without realizing it's not being verified and thinking they are "safe". >> >> >> Yet there's quite a visible warning in the docs: >> http://docs.python.org/dev/library/urllib.request.html > > > As has been been mentioned elsewhere, at the very least we should change > cadefault to True for secure-type connections. The dangerous/unexpected > behavior should not be the default. +1 for having the default be safe, but this will have to be very loudly announced ("when migrating from 3.3 to 3.4, TLS connections will cease to work if blah blah"). Some legit sites with proper certificates still manage to muck something up administratively (developer.quicksales.com.au has a cert from RapidSSL but doesn't bundle the intermediates, and I've told their devs about it, but all I can do is disable cert checking). This will break code in ways that will surprise people greatly. But I'd still rather the default be True. ChrisA
- Previous message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Next message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-Dev mailing list