On 3 Jun, 2013, at 7:58, Benjamin Peterson <benja...@python.org> wrote:
> 2013/6/2 Donald Stufft <don...@stufft.io>: >> As of right now, as far as I can tell, Python does not validate HTTPS >> certificates by default. As far as I can tell this is because there is no >> guaranteed certificates available. >> >> So I would like to propose that CPython adopt the Mozilla SSL certificate >> list and include it in core, and switch over the API's so that they verify >> HTTPS by default. > > +1 > >> >> Ideally this would take the shape of attempting to locate the system >> certificate store if possible, and if that doesn't work falling back to the >> bundled certificates. That way the various Linux distros can easily have >> their copies of Python depend soley on their built in certs, but Windows, >> OSX, Source compiles etc will all still have a fallback value. > > My preference would be actually be for the included certificates file > to be used by default. This would provide a consistent experience > across platforms. We could provide options to look for system cert > repositories if desired. I'd prefer to use the system CA list when that's available. I've had to hunt down the CA list for a number of application when a custom CA for internal use and that's not fun, using the system list is much friendlier to users. Ronald _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
