> On May 2, 2016, at 9:06 PM, John Levine <[email protected]> wrote:
>
> Is it really that hard to look at the documentation for the python
> libraries? It's right here:
> https://docs.python.org/3/library/http.client.html
>
> By default, the https library checks the certificate chain against the
> usual pile of CAs and throws an exception if the validation fails.
> You can turn off the checks for applications that want to do something
> special, but we didn't do that.
The documentation says:
Changed in version 3.4.3: This class now performs all the necessary
certificate
and hostname checks by default. To revert to the previous, unverified,
behavior
ssl._create_unverified_context() can be passed to the context parameter.
So it seems that you either get both chain verification and hostname checks or
neither. Perhaps I am reading the docs incorrectly?
In any case, doing atypical things risks people doing the wrong thing, even if
one particular library makes it comparatively painless to do the right thing.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
