This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients alex, barry, bkabrda, christian.heimes, doko, dstufft, janssen, lemburg, ncoghlan, pitrou, r.david.murray, rkuska, vstinner
Date 2015-05-08.22:14:38
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Please let me join the party. :)

Like Antoine and Donald I'm against an option to disable certificate validation. I truly believe it's the wrong approach for the problem. 

Users don't *want* to disable security checks either. They disable the check because a SSL verification error is disruptive and they want to get on with their lives. Because with Python they have no other easy option they take the quick and easy path. *Yoda's voice* If you end SSL verification now - if you choose the quick and easy path as others did - you will become an agent of evil.

I like to suggest a better way. Let's handle cert checks like Firefox or OpenSSH. Both give you the option to trust an unknown certificate for a specific host name and remember this trust, too. Let's add a feature to do the same with Python. Yes, it would require more work, additional features and careful engineering. But I strongly believe it's the better approach.

Rough design idea:

$ python ssl trustcert

This command retrieves the cert from and stores the mapping of to SPKI sha512 hash in a file/directory relative sys.prefix.

When a ssl._create_stdlib_context() context gets a verification error, then it checks the file for the hostname and SPKI hash of the leaf certificate.

This features requires access to SPKI as DER and a proper verify_cb callback function. Disclaimer: I have code for the first feature and a plan for the second.
Date User Action Args
2015-05-08 22:14:38christian.heimessetrecipients: + christian.heimes, lemburg, barry, doko, ncoghlan, janssen, pitrou, vstinner, alex, r.david.murray, bkabrda, dstufft, rkuska
2015-05-08 22:14:38christian.heimessetmessageid: <>
2015-05-08 22:14:38christian.heimeslinkissue23857 messages
2015-05-08 22:14:38christian.heimescreate