Thanks for the rapid feedback everyone!
I want to summarize the action items and discussion points that have come up so
far:
To add to the PEP:
* Emit a warning in 3.4.next for cases that would raise a Exception in 3.5
* Clearly state that the existing OpenSSL environment variables will be
respected for setting the trust root
Discussion points:
* Disabling verification entirely externally to the program, through a CLI flag
or environment variable. I'm pretty down on this idea, the problem you hit is
that it's a pretty blunt instrument to swing, and it's almost impossible to
imagine it not hitting things it shouldn't; it's far too likely to be used in
applications that make two sets of outbound connections: 1) to some internal
service which you want to disable verification on, and 2) some external
service which needs strong validation. A global flag causes the latter to
fail silently when subjected to a MITM attack, and that's exactly what we're
trying to avoid. It also makes things much harder for library authors: I
write an API client for some API, and make TLS connections to it. I want
those to be verified by default. I can't even rely on the httplib defaults,
because someone might disable them from the outside.
Cheers,
Alex
_______________________________________________
Python-Dev mailing list
Pyth...@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: https://mail.python.org/mailman/options/python-dev/python-dev-ml%40activestate.com
Recent Messages in this Thread |
|
Alex Gaynor |
Aug 29, 2014 07:47 pm |
|
David Reid |
Aug 29, 2014 07:56 pm |
|
M.-A. Lemburg |
Aug 29, 2014 08:00 pm |
|
Ethan Furman |
Aug 29, 2014 08:07 pm |
|
Nick Coghlan |
Aug 30, 2014 11:26 pm |
|
Antoine Pitrou |
Aug 31, 2014 01:25 am |
|
R. David Murray |
Aug 31, 2014 02:21 am |
|
Nick Coghlan |
Aug 31, 2014 06:09 am |
|
Donald Stufft |
Aug 31, 2014 06:16 am |
|
Nick Coghlan |
Aug 31, 2014 06:45 am |
|
Cory Benfield |
Aug 31, 2014 10:42 am |
|
R. David Murray |
Aug 31, 2014 02:16 pm |
|
Christian Heimes |
Aug 31, 2014 04:27 pm |
|
Paul Moore |
Aug 31, 2014 05:03 pm |
|
Antoine Pitrou |
Aug 31, 2014 05:29 pm |
|
Paul Moore |
Aug 31, 2014 06:28 pm |
|
Antoine Pitrou |
Aug 31, 2014 06:37 pm |
|
Paul Moore |
Aug 31, 2014 07:12 pm |
|
Antoine Pitrou |
Aug 31, 2014 08:15 pm |
|
Paul Moore |
Aug 31, 2014 08:30 pm |
|
Nick Coghlan |
Aug 31, 2014 09:41 pm |
|
Antoine Pitrou |
Aug 31, 2014 09:53 pm |
|
Christian Heimes |
Aug 31, 2014 09:59 pm |
|
Christian Heimes |
Aug 31, 2014 08:16 pm |
|
Christian Heimes |
Aug 31, 2014 09:43 pm |
|
Nick Coghlan |
Aug 31, 2014 10:10 pm |
|
R. David Murray |
Sep 01, 2014 01:10 am |
|
Nick Coghlan |
Sep 01, 2014 06:05 am |
|
Nick Coghlan |
Sep 02, 2014 10:12 pm |
|
Paul Moore |
Sep 01, 2014 06:07 am |
|
Nick Coghlan |
Sep 01, 2014 06:44 am |
|
Christian Heimes |
Sep 01, 2014 07:13 am |
|
Nick Coghlan |
Sep 01, 2014 08:09 am |
|
Antoine Pitrou |
Sep 01, 2014 12:41 pm |
|
Chris Angelico |
Sep 01, 2014 01:24 pm |
|
Antoine Pitrou |
Sep 01, 2014 01:34 pm |
|
Chris Angelico |
Sep 01, 2014 01:42 pm |
|
Antoine Pitrou |
Sep 01, 2014 01:59 pm |
|
Nick Coghlan |
Sep 01, 2014 02:53 pm |
|
Antoine Pitrou |
Sep 01, 2014 02:57 pm |
|
M.-A. Lemburg |
Sep 08, 2014 08:09 am |
|
Donald Stufft |
Aug 31, 2014 10:15 pm |
|
Nick Coghlan |
Sep 01, 2014 12:06 am |
|
Nick Coghlan |
Aug 31, 2014 06:24 am |
|
Christian Heimes |
Aug 31, 2014 05:23 pm |
|
Donald Stufft |
Aug 29, 2014 08:10 pm |
|
Donald Stufft |
Aug 29, 2014 09:11 pm |
|
R. David Murray |
Aug 29, 2014 09:42 pm |
|
Antoine Pitrou |
Aug 29, 2014 09:57 pm |
|
Donald Stufft |
Aug 29, 2014 10:00 pm |
|
R. David Murray |
Aug 29, 2014 10:57 pm |
|
Antoine Pitrou |
Aug 29, 2014 09:55 pm |
|
M.-A. Lemburg |
Aug 29, 2014 09:58 pm |
|
Donald Stufft |
Aug 29, 2014 10:08 pm |
|
Antoine Pitrou |
Aug 29, 2014 10:22 pm |
|
Christian Heimes |
Aug 31, 2014 11:18 am |
Re: [Python-Dev] PEP 476: Enabling certificate validation by default! |
Alex Gaynor |
Aug 30, 2014 02:44 am |
|
M.-A. Lemburg |
Aug 30, 2014 10:19 am |
|
Antoine Pitrou |
Aug 30, 2014 10:40 am |
|
M.-A. Lemburg |
Aug 30, 2014 10:46 am |
|
Antoine Pitrou |
Aug 30, 2014 10:55 am |
|
M.-A. Lemburg |
Aug 30, 2014 12:03 pm |
|
R. David Murray |
Aug 30, 2014 01:32 pm |
|
M.-A. Lemburg |
Aug 30, 2014 02:20 pm |
|
Steve Dower |
Aug 30, 2014 02:24 pm |
|
Barry Warsaw |
Aug 30, 2014 04:42 pm |
|
Paul Moore |
Aug 30, 2014 10:48 am |
|
Alex Gaynor |
Aug 30, 2014 03:22 pm |
|
Paul Moore |
Aug 30, 2014 03:36 pm |
|
Marko Rauhamaa |
Aug 30, 2014 04:17 pm |
|
Christian Heimes |
Aug 30, 2014 05:21 pm |
|
mar...@v.loewis.de |
Aug 30, 2014 08:03 pm |
|
Stephen J. Turnbull |
Aug 31, 2014 05:53 am |
|
Glyph Lefkowitz |
Sep 02, 2014 09:00 pm |
|
Antoine Pitrou |
Sep 02, 2014 09:32 pm |
|
Alex Gaynor |
Sep 02, 2014 10:16 pm |
|
Antoine Pitrou |
Sep 02, 2014 10:25 pm |
|
Nick Coghlan |
Sep 02, 2014 11:01 pm |
|
David Reid |
Sep 02, 2014 11:06 pm |
|
Nick Coghlan |
Sep 02, 2014 11:28 pm |
|
Glyph Lefkowitz |
Sep 02, 2014 11:47 pm |
|
Donald Stufft |
Sep 03, 2014 12:06 am |
|
Antoine Pitrou |
Sep 03, 2014 12:19 am |
|
Stephen J. Turnbull |
Sep 03, 2014 02:43 am |
|
Cory Benfield |
Sep 03, 2014 08:26 am |
|
Nick Coghlan |
Sep 03, 2014 10:34 am |
|
Antoine Pitrou |
Sep 03, 2014 02:29 pm |
|
Terry Reedy |
Sep 03, 2014 12:59 am |
|
R. David Murray |
Sep 03, 2014 01:29 am |
|
Antoine Pitrou |
Sep 03, 2014 02:31 pm |
|
R. David Murray |
Sep 03, 2014 03:58 pm |
|
Ethan Furman |
Sep 03, 2014 05:09 pm |
|
Alex Gaynor |
Sep 03, 2014 05:15 pm |
|
Ethan Furman |
Sep 03, 2014 05:29 pm |
|
Christian Heimes |
Sep 03, 2014 07:07 pm |
|
R. David Murray |
Sep 03, 2014 07:10 pm |
|
Ethan Furman |
Sep 03, 2014 07:42 pm |
|
Guido van Rossum |
Sep 03, 2014 05:54 pm |
|
Antoine Pitrou |
Sep 03, 2014 06:37 pm |
|
R. David Murray |
Sep 03, 2014 07:06 pm |
|
Guido van Rossum |
Sep 03, 2014 07:11 pm |
|
Nick Coghlan |
Sep 03, 2014 11:19 pm |
|
Antoine Pitrou |
Sep 03, 2014 11:36 pm |
|
Ethan Furman |
Sep 04, 2014 12:00 am |
|
Ethan Furman |
Sep 04, 2014 12:17 am |
|
Nick Coghlan |
Sep 04, 2014 03:11 am |
|
Antoine Pitrou |
Sep 04, 2014 12:39 pm |
|
Nick Coghlan |
Sep 04, 2014 01:31 pm |
|
Donald Stufft |
Sep 03, 2014 06:39 pm |
|
Christian Heimes |
Sep 03, 2014 07:26 pm |
|
Guido van Rossum |
Sep 03, 2014 07:37 pm |
|
Christian Heimes |
Sep 03, 2014 07:50 pm |
|
Alex Gaynor |
Sep 03, 2014 08:37 pm |
|
Benjamin Peterson |
Sep 03, 2014 11:10 pm |
|
Nick Coghlan |
Sep 03, 2014 11:29 pm |
|
Victor Stinner |
Sep 03, 2014 07:37 pm |
|
Christian Heimes |
Sep 03, 2014 07:44 pm |
|
Stephen J. Turnbull |
Sep 03, 2014 10:48 pm |
|
Gregory P. Smith |
Sep 08, 2014 09:35 pm |
|
Glyph Lefkowitz |
Sep 02, 2014 11:21 pm |
|
R. David Murray |
Sep 02, 2014 11:20 pm |
|
Christian Heimes |
Sep 02, 2014 10:41 pm |
|
Nick Coghlan |
Sep 01, 2014 09:31 pm |
|
Christian Heimes |
Sep 01, 2014 05:01 pm |
|
Donald Stufft |
Sep 01, 2014 05:08 pm |
|
Nick Coghlan |
Sep 01, 2014 03:35 pm |
|
Donald Stufft |
Sep 01, 2014 04:48 pm |