Message 200328 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	gvanrossum
Recipients	gvanrossum
Date	2013-10-18.23:18:53
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1382138334.23.0.419355699391.issue19292@psf.upfronthosting.co.za>
In-reply-to

Content
See discussion on https://groups.google.com/forum/#!topic/python-tulip/c_lqdFjPEbE . If you set sslcontext.verify_mode = ssl.CERT_REQUIRED and call sslcontext.set_default_verify_paths(), the stdlib ought to have enough smarts to use the system root certificates. I understand this is difficult, as the location of the root certificates may vary between Windows versions or installations. But if we leave this up to the app developer they are much more likely to disable certificate verification by setting verify_mode to CERT_NONE than to provide secure root certs (or do even less secure things, like using plain HTTP :-).

See discussion on https://groups.google.com/forum/#!topic/python-tulip/c_lqdFjPEbE .

If you set sslcontext.verify_mode = ssl.CERT_REQUIRED and call sslcontext.set_default_verify_paths(), the stdlib ought to have enough smarts to use the system root certificates.

I understand this is difficult, as the location of the root certificates may vary between Windows versions or installations.  But if we leave this up to the app developer they are much more likely to disable certificate verification by setting verify_mode to CERT_NONE than to provide secure root certs (or do even less secure things, like using plain HTTP :-).

History
Date	User	Action	Args
2013-10-18 23:18:54	gvanrossum	set	recipients: + gvanrossum
2013-10-18 23:18:54	gvanrossum	set	messageid: <1382138334.23.0.419355699391.issue19292@psf.upfronthosting.co.za>
2013-10-18 23:18:54	gvanrossum	link	issue19292 messages
2013-10-18 23:18:53	gvanrossum	create