On Fri, 29 Aug 2014 17:11:35 -0400, Donald Stufft <don...@stufft.io> wrote: > Sorry I was on my phone and didnât get to fully reply to this. > > On Aug 29, 2014, at 4:00 PM, M.-A. Lemburg <m...@egenix.com> wrote: > > > > * configuration: > > > > It would be good to be able to switch this on or off > > without having to change the code, e.g. via a command > > line switch and environment variable; perhaps even > > controlling whether or not to raise an exception or > > warning. > > Iâm on the fence about this, if someone provides a certificate > that we can validate against (which can be done without > touching the code) then the only thing that really canât be > âfixedâ without touching the code is if someone has a certificate > that is otherwise invalid (expired, not yet valid, wrong hostname, > etc). Iâd say if I was voting on this particular thing Iâd be -0, Iâd > rather it didnât exist but I wouldnât cry too much if it did.
Especially if you want an accelerated change, there must be a way to *easily* get back to the previous behavior, or we are going to catch a lot of flack. There may be only 7% of public certs that are problematic, but I'd be willing to bet you that there are more not-really-public ones that are critical to day to day operations *somewhere* :) wget and curl have 'ignore validation' as a command line flag for a reason. --David
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
