[Python-Dev] PEP 476: Enabling certificate validation by default!
Antoine Pitrou
solipsis at pitrou.net
Sat Aug 30 12:55:54 CEST 2014
On Sat, 30 Aug 2014 12:46:47 +0200
"M.-A. Lemburg" <mal at egenix.com> wrote:
> The change is to the OpenSSL API, not the OpenSSL lib. By setting
> the variable you enable a few special calls to the config loader
> functions in OpenSSL when calling the initializer it:
>
> https://www.openssl.org/docs/crypto/OPENSSL_config.html
Ah, ok. Do you have experience with openssl.cnf? Apparently, it is
meant for offline tools such as certificate generation, I am not sure
how it could impact certification validation.
> > That use case should be served with the SSL_CERT_DIR and SSL_CERT_FILE
> > env vars (or, better, by specific settings *inside* the application).
> >
> > I'm against multiplying environment variables, as it makes it more
> > difficult to assess the actual security of a setting. The danger of an
> > ill-secure setting is much more severe than with hash randomization.
>
> You have a point there. So how about just a python run-time switch
> and no env var ?
Well, why not, but does it have a value over letting the code properly
configure their SSLContext?
Regards
Antoine.
More information about the Python-Dev
mailing list