[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

[Benjamin Peterson]

2013/6/3 Donald Stufft <donald at stufft.io>:
>
> On Jun 3, 2013, at 1:58 AM, Benjamin Peterson <benjamin at python.org> wrote:
>
> 2013/6/2 Donald Stufft <donald at stufft.io>:
>
> As of right now, as far as I can tell, Python does not validate HTTPS
> certificates by default. As far as I can tell this is because there is no
> guaranteed certificates available.
>
> So I would like to propose that CPython adopt the Mozilla SSL certificate
> list and include it in core, and switch over the API's so that they verify
> HTTPS by default.
>
>
> +1
>
>
> Ideally this would take the shape of attempting to locate the system
> certificate store if possible, and if that doesn't work falling back to the
> bundled certificates. That way the various Linux distros can easily have
> their copies of Python depend soley on their built in certs, but Windows,
> OSX, Source compiles etc will all still have a fallback value.
>
>
> My preference would be actually be for the included certificates file
> to be used by default. This would provide a consistent experience
> across platforms. We could provide options to look for system cert
> repositories if desired.
>
>
> That's fine with me too. My only reason for wanting to use the system certs
> first is so
> if someone has modified their system certs (say to include a corporate cert)
> that it
> would ideally take affect for Python as well.

I don't think users should be able to modify stdlib behaviors (in this
case could be unintentionally) without application consent.

>
> But honestly the Linux distros will probably modify things to use system
> certs anyways
> and non Linux (esp Windows) probably doesn't have a way to get those system
> certs
> into OpenSSL.

Yes, I'm happy to let them figure it out.



--
Regards,
Benjamin