[Python-Dev] PEP 476: Enabling certificate validation by default!

Donald Stufft donald at stufft.io
Sat Aug 30 00:00:50 CEST 2014 

> On Aug 29, 2014, at 5:42 PM, R. David Murray <rdmurray at bitdance.com> wrote:
> 
> On Fri, 29 Aug 2014 17:11:35 -0400, Donald Stufft <donald at stufft.io> wrote:
>> Sorry I was on my phone and didn’t get to fully reply to this.
>>> On Aug 29, 2014, at 4:00 PM, M.-A. Lemburg <mal at egenix.com> wrote:
>>> 
>>> * configuration:
>>> 
>>>  It would be good to be able to switch this on or off
>>>  without having to change the code, e.g. via a command
>>>  line switch and environment variable; perhaps even
>>>  controlling whether or not to raise an exception or
>>>  warning.
>> 
>> I’m on the fence about this, if someone provides a certificate
>> that we can validate against (which can be done without
>> touching the code) then the only thing that really can’t be
>> “fixed” without touching the code is if someone has a certificate
>> that is otherwise invalid (expired, not yet valid, wrong hostname,
>> etc). I’d say if I was voting on this particular thing I’d be -0, I’d
>> rather it didn’t exist but I wouldn’t cry too much if it did.
> 
> Especially if you want an accelerated change, there must be a way to
> *easily* get back to the previous behavior, or we are going to catch a
> lot of flack.  There may be only 7% of public certs that are problematic,
> but I'd be willing to bet you that there are more not-really-public ones
> that are critical to day to day operations *somewhere* :)
> 
> wget and curl have 'ignore validation' as a command line flag for a reason.
> 

Right, that’s why I’m on the fence :)

On one hand, it’s going to break things for some people, (arguably they are
already broken, just silently so, but we’ll leave that argument aside) and a
way to get back the old behavior is good. There are already ways within
the Python code itself, so that’s covered. From outside of the Python code
there are ways if the certificate is untrusted but otherwise valid which are
pretty easy to do. The major “gap” is when you have an actual invalid
certificate due to expiration or hostname or some other such thing.

On the other hand Python is not wget/curl and the people who are most
likely to be the target for a “I can’t change the code but I need to get the
old behavior back” are people who are likely to not be invoking Python
itself but using something written in Python which happens to be using
Python. IOW they might be executing “foobar” not “python -m foobar”.

Like I said though, I’m personally fine either way so don’t take this as
being against that particular change!

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140829/121f8cfc/attachment.html>

More information about the Python-Dev mailing list