> On Sep 10, 2016, at 10:22 AM, Christian Heimes <christ...@python.org> wrote: > > I don't load any certs because it is not possible to remove a cert or > X509 lookup once it is loaded. create_default_context() just have to > load the certs and set more secure ciper suites.
This part is the most concerning to me, though I understand why it’s the case. Perhaps we can do something a little tricky to allow both things to happen? IOW do sort of a late binding of a call to loading the default certificates if no other certificates has been loaded when the call to SSLContext().wrap_socket() has been made. So we’d do something like: class SSLContext: def __init__(self, …): self._loaded_certificates = False … # Do Other Stuff def load_default_certs(self, …): self._loaded_certificates = True … # Do Other Stuff def load_verify_locations(self, …): self._loaded_certificates = True … # Do Other Stuff def wrap_socket(self, …): if not self._loaded_certificates: self.load_default_certs() … # Do Other Stuff That way if someone does something like: ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) ctx.load_verify_locations(cafile=“…”) ctx.wrap_socket(…) Then they don’t get any default certificates added, HOWEVER if they do: ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) ctx.wrap_socket(…) Then they do. The main draw back I can see with this is that you can’t wrap a socket and then add certificates after the fact… but I don’t even know if that makes sense to do? — Donald Stufft _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com