Changes by Robert Kuska rku...@gmail.com:
--
nosy: +bkabrda
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23857
___
___
Python-bugs-list mailing
STINNER Victor added the comment:
This issue is related to the PEP 476 which made the SSL certification checks
mandatory by default.
The PEP contains a section to explain how to opt-out, but the solution is
global:
https://www.python.org/dev/peps/pep-0476/#opting-out
I understand that Robert
Robert Kuska added the comment:
1) patch attached, dunno how I missed it, thank you.
3) I work for Red Hat
additional interest for example here http://seclists.org/oss-sec/2015/q1/785
2) It exists but it is not system wide, I would like to provide users option to
opt-in or opt-out without
Nick Coghlan added the comment:
(capturing these details here for now, we should at least have a python-dev
discussion before going ahead with any changes in this area)
The additional background here is that we started looking closely at what would
be involved in applying PEP 476 to systems
Robert Kuska added the comment:
If you mean hack site.py to be sitecustomize I don't find it as a sufficient
solution because users may use their own sitecustomize and this way we would
replace theirs.
Sslcustomize solution could be another option how to handle this but the config
idea
Robert Kuska added the comment:
( ^ I was replying to Victor)
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23857
___
___
Python-bugs-list
R. David Murray added the comment:
1) there is no patch attached
2) certificate verification is optional already, is it not? That is, it can be
turned off in your code, it is just on by default.
3) what downstream are you talking about?
Supposing there is sufficient utility here, the level of
STINNER Victor added the comment:
2) It exists but it is not system wide,
You can hack site.py to disable SSL checks system-wide. It was also discussed
to support an optional sslcustomize module, but the idea was rejected if I
remember correctly. Anyway, did you read the discussion on the
Nick Coghlan added the comment:
The other goal worth noting here is that we'd like to facilitate easy system
auditing/monitoring such that machines that still have Python certificate
verification off by default can easily be flagged by checks in tools like
Nagios, as well as being easy to
New submission from Robert Kuska:
Proposed patch adds possibility to opt-out certificate verification.
Disclaimer: it is just proof of concept as the config value is hard-coded.
How it works?
This patch depends on existence of config file which holds information about
the protocol settings.
10 matches
Mail list logo
