[Python-Dev] SSL certificates recommendations for downstream python packagers
Paul Moore
p.f.moore at gmail.com
Tue Jan 31 04:56:28 EST 2017
On 31 January 2017 at 09:19, Cory Benfield <cory at lukasa.co.uk> wrote:
>
> In general, it is unwise to mix trust stores. If you want to use your OS’s
> trust store, the best approach is to use the OS’s TLS stack as well. At
> least that way when a user says “It works in my browser”, you know it should
> work for you too.
As a bystander (and an "end user" of this stuff) the message I'm
getting here is a bit worrying. To take a step back from the sysadmin
issues here, is the statement
It's safe to use Python (either via the stdlib, or various 3rd
party libraries like requests) to access https URLs
correct? I understand that "safe" is a complex concept here, but in
terms of promoting Python, I'd be using the term in the sense of "at
least as acceptable as using something like C# or Java" - in other
words I'm not introducing any new vulnerabilities if I argue for
Python over one of those languages?
Paul
More information about the Python-Dev
mailing list