On 22.01.2014 14:24, Nick Coghlan wrote: > On 22 January 2014 23:19, Antoine Pitrou <solip...@pitrou.net> wrote: >> On Wed, 22 Jan 2014 05:30:40 -0500 >> Donald Stufft <don...@stufft.io> wrote: >>> I would like to propose that a backwards incompatible change be >>> made to Python to make verification of hostname and certificate >>> chain the default instead of requiring it to be opt in. >>> >>> Python 3.4 has made great strides in making it easier for applications >>> to simply turn on these settings, however many people are not aware >>> at all that they need to opt into this. Most assume that it will operate >>> similarly to their browser, curl, wget, etc >> >> Python is not a Web client. Are you talking specifically about urllib? > > And all the other client modules that can make secure network > connections (but don't validate that the certificate matches the > hostname by default).
With Python 3.4 all stdlib modules can verify the hostname and in fact do with ssl.create_default_context(). Several modules like ftplib didn't support SNI and hostname verification. _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
