[Python-Dev] PEP 476: Enabling certificate validation by default!

[Paul Moore]

 30 August 2014 03:44, Alex Gaynor <alex.gaynor at gmail.com> wrote:
> Discussion points:
>
> * Disabling verification entirely externally to the program, through a CLI flag
>   or environment variable. I'm pretty down on this idea, the problem you hit is
>   that it's a pretty blunt instrument to swing, and it's almost impossible to
>   imagine it not hitting things it shouldn't

As a data point, I use --no-check-certificates extensively, in wget,
curl and some Python programs which have it, like youtube-dl.

The reason I do so is typically because the programs do not use the
Windows cerificate store, and configuring a second certificate store
on a per-program basis is too much of a pain to be worth it
(per-program because the hacks such programs use to get round the fact
that Windows has no central location like /etc are inconsistent).

The key question for me is therefore, does Python's ssl support use
the Windows store directly these days? I checked the docs and couldn't
find anything explicitly stating this (but all the terminology is
foreign to me, so I may have missed it). If it does, programs like
youtube-dl will start to "just work" and I won't have the need for a
"switch off everything" flag.

If a new Python 3.5 installation on a Windows machine will enforce
https cert checking and yet will not check the system store (or, I
guess, come with an embedded store, but aren't there maintenance
issues with doing that?) then I believe a global "don't check" flag
will be needed, as not all programs offer a "don't check certificates"
mode. And naive users like me may not even know how to code the
behaviour for such an option - and the tone of the debate here leads
me to believe that it'll be hard for developers to get unbiased advice
on how to switch off checking, so it'll end up being patchily
implemented.

Paul