Message130514
> I'd rather recommend a different approach, where the set of CAs
> doesn't need to be specified for every module that directly or
> indirectly uses SSL. Instead, there should be support for a
> thread-local setting of the allowable CAs, and then no API changes are
> necessary.
While thread-local variables are fine in applications, I think they
should be avoided in libraries (especially the stdlib). There are too
many pitfalls (for example: the user decides to offload a network task
to a separate thread and different SSL parameters get silently used).
The API changes are quite simple, both in concept and in implementation.
I think explicit is really better than implicit when it comes to
security-critical parameters. |
|
Date |
User |
Action |
Args |
2011-03-10 16:57:07 | pitrou | set | recipients:
+ pitrou, loewis, kiilerix |
2011-03-10 16:57:06 | pitrou | link | issue10795 messages |
2011-03-10 16:57:06 | pitrou | create | |
|