2013/6/3 Donald Stufft <[email protected]>: > > On Jun 3, 2013, at 1:58 AM, Benjamin Peterson <[email protected]> wrote: > > 2013/6/2 Donald Stufft <[email protected]>: > > As of right now, as far as I can tell, Python does not validate HTTPS > certificates by default. As far as I can tell this is because there is no > guaranteed certificates available. > > So I would like to propose that CPython adopt the Mozilla SSL certificate > list and include it in core, and switch over the API's so that they verify > HTTPS by default. > > > +1 > > > Ideally this would take the shape of attempting to locate the system > certificate store if possible, and if that doesn't work falling back to the > bundled certificates. That way the various Linux distros can easily have > their copies of Python depend soley on their built in certs, but Windows, > OSX, Source compiles etc will all still have a fallback value. > > > My preference would be actually be for the included certificates file > to be used by default. This would provide a consistent experience > across platforms. We could provide options to look for system cert > repositories if desired. > > > That's fine with me too. My only reason for wanting to use the system certs > first is so > if someone has modified their system certs (say to include a corporate cert) > that it > would ideally take affect for Python as well.
I don't think users should be able to modify stdlib behaviors (in this case could be unintentionally) without application consent. > > But honestly the Linux distros will probably modify things to use system > certs anyways > and non Linux (esp Windows) probably doesn't have a way to get those system > certs > into OpenSSL. Yes, I'm happy to let them figure it out. -- Regards, Benjamin _______________________________________________ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
