[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
Donald Stufft
donald at stufft.io
Mon Jun 3 23:47:31 CEST 2013
More information about the Python-Dev mailing list
Mon Jun 3 23:47:31 CEST 2013
- Previous message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Next message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Jun 3, 2013, at 5:41 PM, Antoine Pitrou <solipsis at pitrou.net> wrote: > On Mon, 3 Jun 2013 22:31:40 +0100 > Paul Moore <p.f.moore at gmail.com> wrote: >> >>> Some legit sites with proper >>> certificates still manage to muck something up administratively >>> (developer.quicksales.com.au has a cert from RapidSSL but doesn't >>> bundle the intermediates, and I've told their devs about it, but all I >>> can do is disable cert checking). This will break code in ways that >>> will surprise people greatly. But I'd still rather the default be >>> True. >>> >> >> I'm happy if the "will cease to work" clause only says "some sites with >> broken security configurations may stop working" with a clear explanation >> that it is *their* fault, not Python's. I'd also expect that the same sites >> would fail in browsers - if not, we should also be able to make them work >> (or face cries of "well, Internet Explorer/Firefox doesn't have a problem >> with my site, why does Python?"). > > Keep in mind that not every HTTPS service is a Web site that is meant > to be readable with a browser. Some are Web services, possibly internal, > possibly without a domain name (and, therefore, probably a non-matching > certificate subject name). They should need to explicitly opt in to disabling the checks that allow that to work. > > Regards > > Antoine. > > > _______________________________________________ > Python-Dev mailing list > Python-Dev at python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: http://mail.python.org/mailman/options/python-dev/donald%40stufft.io ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/7e2483be/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/7e2483be/attachment.pgp>
- Previous message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Next message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-Dev mailing list