Message 275306 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	ncoghlan
Recipients	Lukasa, alex, christian.heimes, dstufft, giampaolo.rodola, janssen, martin.panter, ncoghlan, orsenthil, vstinner
Date	2016-09-09.11:09:38
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1473419378.63.0.777606959826.issue28022@psf.upfronthosting.co.za>
In-reply-to

Content
+1 for directing all programmatic configuration through SSLContext However, implicitly verifying certificates for protocols other than HTTPS needs to be contingent on a properly designed approach to configuration that leaves informed users in full control of the behaviour of their systems - while I'm fully supportive of secure-by-default behaviour to protect unaware users, it's also the case that most other protocols haven't had the forcing function of web browser behaviour encouraging them to improve their certificate handling, and even that's still in a tragically bad state once you get away from the public web. The file based scheme in PEP 493, https://www.python.org/dev/peps/pep-0493/#backporting-pep-476-to-earlier-python-versions, was deliberately written to be potentially suitable for expansion to other protocols, but actually using it for that purpose would require the definition of a new feature PEP targeting 3.7 (which may then potentially be pitched for backporting to earlier versions as a subsequent proposal).

+1 for directing all programmatic configuration through SSLContext

However, implicitly verifying certificates for protocols other than HTTPS needs to be contingent on a properly designed approach to configuration that leaves informed users in full control of the behaviour of their systems - while I'm fully supportive of secure-by-default behaviour to protect unaware users, it's also the case that most other protocols haven't had the forcing function of web browser behaviour encouraging them to improve their certificate handling, and even that's still in a tragically bad state once you get away from the public web.

The file based scheme in PEP 493, https://www.python.org/dev/peps/pep-0493/#backporting-pep-476-to-earlier-python-versions, was deliberately written to be potentially suitable for expansion to other protocols, but actually using it for that purpose would require the definition of a new feature PEP targeting 3.7 (which may then potentially be pitched for backporting to earlier versions as a subsequent proposal).

History
Date	User	Action	Args
2016-09-09 11:09:38	ncoghlan	set	recipients: + ncoghlan, janssen, orsenthil, vstinner, giampaolo.rodola, christian.heimes, alex, martin.panter, dstufft, Lukasa
2016-09-09 11:09:38	ncoghlan	set	messageid: <1473419378.63.0.777606959826.issue28022@psf.upfronthosting.co.za>
2016-09-09 11:09:38	ncoghlan	link	issue28022 messages
2016-09-09 11:09:38	ncoghlan	create