This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author rkuska
Recipients alex, dstufft, janssen, ncoghlan, pitrou, rkuska, vstinner
Date 2015-04-03.10:38:05
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Proposed patch adds possibility to opt-out certificate verification. 
Disclaimer: it is just proof of concept as the config value is hard-coded.

How it works?
This patch depends on existence of config file which holds information about the protocol settings.

> $ cat cert-verification.conf
[https]  # each protocol affected by cert-verification got its own section

Possible values for verify are:
enable - to enable certificate verification
disable - to disable certificate verification
platform_default - to use default (platform-specific) settings

Why platform_default?
This choice is for users who don't care about the security settings so they put the decision into their platform (distro) from which they get python. In rpm we can set package to not replace user edited configs when rpm is updated, so if user change the default value of config the config will remain the same.

Python example:

 >>> import http.client
 >>> cn = http.client.HTTPSConnection('')
 >>> cn._context.verify_mode
 >>> # config changed to verify=enable, still same interpreter
 >>> cn2 = http.client.HTTPSConnection('')
 >>> cn2._context.verify_mode

This is how currently works patch attached, but I guess it would make more sense make this behave consistent within the same interpreter even when config is changed and the change will be propagated in the next interpreter run/service restart.

Also the patch could be changed to instead of being protocol based to be module based, but this would need also patching the affected modules.

I open the RFE mainly to see if there is a will to implement optionable certificate verification in upstream as it is in downstream [citation needed].

I've added some people to nosy list based on
Date User Action Args
2015-04-03 10:38:07rkuskasetrecipients: + rkuska, ncoghlan, janssen, pitrou, vstinner, alex, dstufft
2015-04-03 10:38:06rkuskasetmessageid: <>
2015-04-03 10:38:06rkuskalinkissue23857 messages
2015-04-03 10:38:05rkuskacreate