On Jun 3, 2013, at 5:31 PM, Paul Moore <[email protected]> wrote: > > On 3 June 2013 21:05, Chris Angelico <[email protected]> wrote: > +1 for having the default be safe, but this will have to be very > loudly announced ("when migrating from 3.3 to 3.4, TLS connections > will cease to work if blah blah"). > > +1 on the default being safe, certainly. But with the proviso that the same > code should work in 3.3 and 3.4, with no user impact (other than that the > connection is safer, but that's not user-visible unless there's an attack :-))
If we bundle certs that will be the case sans connections where it doesn't validate. > > In other words, that "will cease to work" clause should not exist - but see > below... > > Some legit sites with proper > certificates still manage to muck something up administratively > (developer.quicksales.com.au has a cert from RapidSSL but doesn't > bundle the intermediates, and I've told their devs about it, but all I > can do is disable cert checking). This will break code in ways that > will surprise people greatly. But I'd still rather the default be > True. > > I'm happy if the "will cease to work" clause only says "some sites with > broken security configurations may stop working" with a clear explanation > that it is *their* fault, not Python's. I'd also expect that the same sites > would fail in browsers - if not, we should also be able to make them work (or > face cries of "well, Internet Explorer/Firefox doesn't have a problem with my > site, why does Python?"). Browsers tend to download intermediate certs while I don't think Python does. > > Also, we should consider the issue for application users. Suppose I'm using a > Python application that downloads something from the web. I upgrade to 3.4, > and the app stops working because of a "will cease to work" case. As an end > user, how can I get the app working again? Having to patch the sources isn't > an option, and reverting to 3.3 provokes the reaction "Python broke my app". Supply a SSL vert using the environment variable? > > Summary - I'm +1 as long as either the "will cease to work" list is empty, or > we have a *very* good story for (legitimate) sites which do cease to work. > > Paul. > _______________________________________________ > Python-Dev mailing list > [email protected] > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/donald%40stufft.io ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
