On 2016-08-31 10:31, M.-A. Lemburg wrote: > In all this discussion I have yet to find a compelling security > relevant argument for using an 1.0.2 API which is so important > that we cannot make this optional at runtime. > > The only argument Christian reported was this one: > > """ >> BTW: Are there any features in 1.0.2 that we need and would warrant >> dropping support for 1.0.1 earlier than Ubuntu 14.04 LTS ? > > Yes, there are features I want to use, e.g. proper hostname > verification. Python's post-handshake verification is a hack and leads > to information disclosure. > """ > > Regarding that argument: hostname validation can be done > in 1.0.1 by providing a verification hook handler. That's > intended and by design, not a hack. 1.0.2 comes with > support for hostname validation making this a little easier > (you still have to set this up, though).
Are you willing to do implement and maintain this callback? Are you willing to do all work? Are you aware how many security bugs we had in our own verification code? I'm aware of at least two critical bugs. Christian _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
