[Python-Dev] PEP 476: Enabling certificate validation by default!
Antoine Pitrou
solipsis at pitrou.net
Sat Aug 30 12:55:54 CEST 2014
More information about the Python-Dev mailing list
Sat Aug 30 12:55:54 CEST 2014
- Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sat, 30 Aug 2014 12:46:47 +0200 "M.-A. Lemburg" <mal at egenix.com> wrote: > The change is to the OpenSSL API, not the OpenSSL lib. By setting > the variable you enable a few special calls to the config loader > functions in OpenSSL when calling the initializer it: > > https://www.openssl.org/docs/crypto/OPENSSL_config.html Ah, ok. Do you have experience with openssl.cnf? Apparently, it is meant for offline tools such as certificate generation, I am not sure how it could impact certification validation. > > That use case should be served with the SSL_CERT_DIR and SSL_CERT_FILE > > env vars (or, better, by specific settings *inside* the application). > > > > I'm against multiplying environment variables, as it makes it more > > difficult to assess the actual security of a setting. The danger of an > > ill-secure setting is much more severe than with hash randomization. > > You have a point there. So how about just a python run-time switch > and no env var ? Well, why not, but does it have a value over letting the code properly configure their SSLContext? Regards Antoine.
- Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-Dev mailing list