[Python-Dev] Enable Hostname and Certificate Chain Validation

[Donald Stufft]

On Jan 22, 2014, at 9:33 AM, Christian Heimes <christian at python.org> wrote:

> On 22.01.2014 15:12, Jesse Noller wrote:
>> And no one reads it. I can't count the number of times I've gotten called into a managers office when they find out python doesn't do cert validation by default (and in 2, it's not been trivial) and gotten told to fix it, or we move off of python.
>> 
>> Donald is perfectly right: every time you point out to users that this is the default behavior the response is almost universally "you can't be serious, is this a joke?"
> 
> Yes, you are right. :(
> 
> About two months ago (maybe three) I proposed to deprecated implicit SSL
> context, unverified certs and unverified hostnames all together. But I
> was voted down. Donald made a similar attempt half an year ago, too.

Last time I tried the reasoning was that Python couldn’t ship root certs
and we couldn’t get to the OS certs everywhere. Thanks to you this
is fixed now, so “once more unto the breach”.

> 
> Can't we just mark these things as pending deprecated in Python 3.4 so
> people start fixing their code *now*?

+10000

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140122/6f6469c9/attachment.sig>