[Python-Dev] PEP476: Enabling certificate validation by default
Guido van Rossum
guido at python.org
Sun Sep 21 03:53:58 CEST 2014
OK, I'll hold off a bit on approving the PEP, but my intention is to
approve it. Go Alex go!
On Sat, Sep 20, 2014 at 4:03 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> On 21 September 2014 08:22, Guido van Rossum <guido at python.org> wrote:
> > Sounds good. Maybe we should put the specifically targeted releases in
> PEP
> > 476?
> >
> > Nick, do Christian's issues need to be mentioned in the PEP or should we
> > just keep those in the corresponding tracker items?
>
> They should be mentioned in the PEP, as they will impact the way the
> proposed change interacts with the platform trust database - I didn't
> realise the differences on Windows and Mac OS X myself until Christian
> mentioned them.
>
> To be completely independent of the system trust database in a
> reliable, cross-platform way, folks will need to use a custom SSL
> context that doesn't enable the system trust store, rather than
> relying on the OpenSSL config options - the latter will reliably *add*
> certificates, but they won't reliably ignore the default ones provided
> by the system.
>
> We may also need some clarification from Ned regarding the status of
> OpenSSL and the potential impact switching from dynamic linking to
> static linking of OpenSSL may have in terms of the
> "OPENSSL_X509_TEA_DISABLE" setting.
>
> Regards,
> Nick.
>
> --
> Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
>
--
--Guido van Rossum (python.org/~guido)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140920/fc522906/attachment.html>
More information about the Python-Dev
mailing list