Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Wed, Sep 3, 2014 at 3:48 PM, Stephen J. Turnbull wrote: > Guido van Rossum writes: > > > lot: five years ago (when I worked at Google!) it was common to find > > internal services that required SSL but had a misconfigured certificate, > > and the only way to access those services was to ove

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 01.09.2014 10:09, Nick Coghlan wrote: > On 1 September 2014 17:13, Christian Heimes wrote: >> On 01.09.2014 08:44, Nick Coghlan wrote: >>> Yes, it would have exactly the same security failure modes as >>> sitecustomize, except it would only fire if the application >>> imported the ssl module. >

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 4 September 2014 22:39, Antoine Pitrou wrote: > On Thu, 4 Sep 2014 13:11:38 +1000 > Nick Coghlan wrote: >> That leaves Python 2.7, and I have to say I'm now persuaded that a >> backport (including any required httplib and urllib features) is the >> right way to go. One of the tasks I'd been dr

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Thu, 4 Sep 2014 13:11:38 +1000 Nick Coghlan wrote: > That leaves Python 2.7, and I have to say I'm now persuaded that a > backport (including any required httplib and urllib features) is the > right way to go. One of the tasks I'd been dreading as a follow-on > from PEP 466 was organising the c

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 4 September 2014 10:00, Ethan Furman wrote: > On 09/03/2014 04:36 PM, Antoine Pitrou wrote: >> >> On Thu, 4 Sep 2014 09:19:56 +1000 >> Nick Coghlan wrote: Python is routinely updated to bugfix releases by Linux distributions and other distribution channels, you usually have

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 09/03/2014 05:00 PM, Ethan Furman wrote: On 09/03/2014 04:36 PM, Antoine Pitrou wrote: On Thu, 4 Sep 2014 09:19:56 +1000 Nick Coghlan wrote: Python is routinely updated to bugfix releases by Linux distributions and other distribution channels, you usually have no say over what's shipped in

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 09/03/2014 04:36 PM, Antoine Pitrou wrote: On Thu, 4 Sep 2014 09:19:56 +1000 Nick Coghlan wrote: Python is routinely updated to bugfix releases by Linux distributions and other distribution channels, you usually have no say over what's shipped in those updates. This is not like changing the

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Thu, 4 Sep 2014 09:19:56 +1000 Nick Coghlan wrote: > > > > Python is routinely updated to bugfix releases by Linux distributions > > and other distribution channels, you usually have no say over what's > > shipped in those updates. This is not like changing the major version > > used for execut

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 4 Sep 2014 06:39, "Alex Gaynor" wrote: > > Guido van Rossum python.org> writes: > > > OK, that changes my position for 2.7 (but not for 3.5). I had assumed there > > was a way to disable the cert check by changing one parameter to the > > urlopen() call. (And I had wanted to add that there sho

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 4 Sep 2014 04:39, "Antoine Pitrou" wrote: > > On Wed, 3 Sep 2014 10:54:55 -0700 > Guido van Rossum wrote: > > > > Let's take the plunge on this issue for the next 2.7 release (3.5 being a > > done deal). > > I'm entirely against this. > > > Yes, some people will find that they have an old scri

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Wed, Sep 3, 2014, at 13:37, Alex Gaynor wrote: > Guido van Rossum python.org> writes: > > > OK, that changes my position for 2.7 (but not for 3.5). I had assumed there > > was a way to disable the cert check by changing one parameter to the > > urlopen() call. (And I had wanted to add that the

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Guido van Rossum writes: > lot: five years ago (when I worked at Google!) it was common to find > internal services that required SSL but had a misconfigured certificate, > and the only way to access those services was to override the browser > complaints. Today (working at Dropbox, a much sma

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Guido van Rossum python.org> writes: > OK, that changes my position for 2.7 (but not for 3.5). I had assumed there > was a way to disable the cert check by changing one parameter to the > urlopen() call. (And I had wanted to add that there should be a clear FAQ > about the subject.) If this isn't

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 03.09.2014 21:37, Guido van Rossum wrote: > OK, that changes my position for 2.7 (but not for 3.5). I had > assumed there was a way to disable the cert check by changing one > parameter to the urlopen() call. (And I had wanted to add that > there should be a clear FAQ about the subject.) If this

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 03.09.2014 21:37, Victor Stinner wrote: > Thanks, you replied before I asked the question :-) (If > certificates are validated by default, how do you disable the > checks?) > > Sorry, I didn't follow the whole discussion and Python 2.7 changes > related to security. Does Python 2.7 support loa

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 09/03/2014 12:10 PM, R. David Murray wrote: On Wed, 03 Sep 2014 10:09:36 -0700, Ethan Furman wrote: On 09/03/2014 08:58 AM, R. David Murray wrote: I'm OK with letting go of this invalid-cert issue myself, given the lack of negative feedback Twisted got. I'll just keep my fingers crossed.

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

OK, that changes my position for 2.7 (but not for 3.5). I had assumed there was a way to disable the cert check by changing one parameter to the urlopen() call. (And I had wanted to add that there should be a clear FAQ about the subject.) If this isn't possible that changes the situation. (But I st

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

2014-09-03 21:26 GMT+02:00 Christian Heimes : > On 03.09.2014 19:54, Guido van Rossum wrote: > I'm +1 for Python 3.5 but -1 for Python 2.7. > > The SSLContext backport will landed in Python 2.7.9 (to be released). No > Python 2 user is familiar with the feature yet. But more importantly: > None of

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 03.09.2014 19:54, Guido van Rossum wrote: > Let's take the plunge on this issue for the next 2.7 release (3.5 being > a done deal). Yes, some people will find that they have an old script > accessing an old service which breaks. Surely some of the other changes > in the same 2.7 bugfix release w

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Antoine, I think we are well past the point where arguments can sway positions. There clearly is no agreement on this issue. So please treat my post as a BDFL tie-breaker. I will just give you one thing to ponder -- those small/non-profit websites that can't afford proper certs are exactly the ones

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Wed, 03 Sep 2014 10:09:36 -0700, Ethan Furman wrote: > On 09/03/2014 08:58 AM, R. David Murray wrote: > > > > I'm OK with letting go of this invalid-cert issue myself, given the lack > > of negative feedback Twisted got. I'll just keep my fingers crossed. > > I apologize if I missed this poin

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 03.09.2014 19:29, Ethan Furman wrote: > Excellent. Last question (I hope): it is possible to (easily) create an > SSLContext that will verify against a self-signed certificate? Yes: context = ssl.create_default_context(cafile="/path/to/selfsigned.pem") That works iff the certificate is va

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Wed, 03 Sep 2014 20:37:38 +0200, Antoine Pitrou wrote: > On Wed, 3 Sep 2014 10:54:55 -0700 > Guido van Rossum wrote: > > Today (working at Dropbox, a much smaller company!) I don't > > even remember the last time I had to deal with such a browser > > complaint -- internal services here all red

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

> On Sep 3, 2014, at 1:54 PM, Guido van Rossum wrote: > > On Wed, Sep 3, 2014 at 8:58 AM, R. David Murray > wrote: > I'm OK with letting go of this invalid-cert issue myself, given the lack > of negative feedback Twisted got. I'll just keep my fingers crossed. >

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Wed, 3 Sep 2014 10:54:55 -0700 Guido van Rossum wrote: > > Let's take the plunge on this issue for the next 2.7 release (3.5 being a > done deal). I'm entirely against this. > Yes, some people will find that they have an old script > accessing an old service which breaks. Surely some of the

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Wed, Sep 3, 2014 at 8:58 AM, R. David Murray wrote: > I'm OK with letting go of this invalid-cert issue myself, given the lack > of negative feedback Twisted got. I'll just keep my fingers crossed. > I'm with this sentiment (cautiously +1) -- and not just because of Twisted's experience or G

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 09/03/2014 10:15 AM, Alex Gaynor wrote: Ethan Furman writes: I apologize if I missed this point, but if we have the source code then it is possible to go in and directly modify the application/utility to be able to talk over https to a router with an invalid certificate? This is an option w

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Ethan Furman stoneleaf.us> writes: > > I apologize if I missed this point, but if we have the source code then it is > possible to go in and directly modify the application/utility to be able to > talk over https to a router with an invalid certificate? This is an option > when creating the ssl

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 09/03/2014 08:58 AM, R. David Murray wrote: I'm OK with letting go of this invalid-cert issue myself, given the lack of negative feedback Twisted got. I'll just keep my fingers crossed. I apologize if I missed this point, but if we have the source code then it is possible to go in and dire

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Wed, 03 Sep 2014 16:31:13 +0200, Antoine Pitrou wrote: > On Tue, 02 Sep 2014 21:29:16 -0400 > "R. David Murray" wrote: > > > > The top proposal so far is an sslcustomize.py file that could be used to > > either decrease or increase the default security. This is a much less > > handy solution

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Tue, 02 Sep 2014 21:29:16 -0400 "R. David Murray" wrote: > > The top proposal so far is an sslcustomize.py file that could be used to > either decrease or increase the default security. This is a much less > handy solution than application options (eg, curl, wget) that allow > disabling secur

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Wed, 3 Sep 2014 20:34:32 +1000 Nick Coghlan wrote: > > The backwards compatibility argument only applies to Python 2 maintenance > releases (where dreid indicated an intention to request backporting the > change), and there I'm quite happy to take the position of "use requests, > Twisted or Py

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 3 Sep 2014 18:28, "Cory Benfield" wrote: > This is definitely true, and this change is both. The only question > that matters is whether we believe we're doing users a service by > breaking their code. I'd argue, along with Glyph, Alex and Donald, > that we are. I've been on the losing side of

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 3 September 2014 01:19, Antoine Pitrou wrote: > Keeping saying it doesn't make it magically true. Sure, but it *is* true, at the very least for HTTP. RFC 2818 (HTTP over TLS) has the following language in section 3.1: > If the hostname is available, the client MUST check it against the > ser

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Antoine Pitrou writes: > On Tue, 2 Sep 2014 16:47:35 -0700 > Glyph Lefkowitz wrote: > > As we keep saying, this is not a break in backwards > > compatibility, it's a bug fix. > > Keeping saying it doesn't make it magically true. It's not "magically" true, it is "just" true. What the hard

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Tue, 02 Sep 2014 20:59:54 -0400, Terry Reedy wrote: > On 9/2/2014 7:47 PM, Glyph Lefkowitz wrote: > > > > On Sep 2, 2014, at 4:28 PM, Nick Coghlan > > wrote: > > > >> On 3 Sep 2014 09:08, "David Reid" >> > wrote: > > >> > Clearly this change

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 9/2/2014 7:47 PM, Glyph Lefkowitz wrote: On Sep 2, 2014, at 4:28 PM, Nick Coghlan mailto:ncogh...@gmail.com>> wrote: On 3 Sep 2014 09:08, "David Reid" mailto:dr...@dreid.org>> wrote: > Clearly this change should be backported to Python2. Proposing to break backwards compatibility in a m

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Tue, 2 Sep 2014 16:47:35 -0700 Glyph Lefkowitz wrote: > > On Sep 2, 2014, at 4:28 PM, Nick Coghlan wrote: > > > On 3 Sep 2014 09:08, "David Reid" wrote: > > > > > > Nick Coghlan gmail.com> writes: > > > > > > > Creating *new* incompatibilities between Python 2 & Python 3 is a major > > >

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

> On Sep 2, 2014, at 7:47 PM, Glyph Lefkowitz wrote: > > > On Sep 2, 2014, at 4:28 PM, Nick Coghlan > wrote: > >> On 3 Sep 2014 09:08, "David Reid" mailto:dr...@dreid.org>> >> wrote: >> > >> > Nick Coghlan gmail.com > writes: >> > >> > > Creatin

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Sep 2, 2014, at 4:28 PM, Nick Coghlan wrote: > On 3 Sep 2014 09:08, "David Reid" wrote: > > > > Nick Coghlan gmail.com> writes: > > > > > Creating *new* incompatibilities between Python 2 & Python 3 is a major > > > point > > > of concern. > > > > Clearly this change should be backported t

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 3 Sep 2014 09:08, "David Reid" wrote: > > Nick Coghlan gmail.com> writes: > > > Creating *new* incompatibilities between Python 2 & Python 3 is a major point > > of concern. > > Clearly this change should be backported to Python2. Proposing to break backwards compatibility in a maintenance re

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Sep 2, 2014, at 4:01 PM, Nick Coghlan wrote: > > On 3 Sep 2014 08:18, "Alex Gaynor" wrote: > > > > Antoine Pitrou pitrou.net> writes: > > > > > > > > And how many people are using Twisted as an HTTPS client? > > > (compared to e.g. Python's httplib, and all the third-party libraries > > >

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Tue, 02 Sep 2014 22:16:18 -, Alex Gaynor wrote: > This whole scenario seems to be predicated on a siutation where: You have a > peer whose certificate you can't change, and you have a piece of code you > can't > change, and you're going to upgrade your Python installation, and you want to

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Nick Coghlan gmail.com> writes: > Creating *new* incompatibilities between Python 2 & Python 3 is a major point > of concern. Clearly this change should be backported to Python2. -David ___ Python-Dev mailing list Python-Dev@python.org https://mail

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 3 Sep 2014 08:18, "Alex Gaynor" wrote: > > Antoine Pitrou pitrou.net> writes: > > > > > And how many people are using Twisted as an HTTPS client? > > (compared to e.g. Python's httplib, and all the third-party libraries > > building on it?) > > > > I don't think anyone could give an honest est

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 02.09.2014 23:32, Antoine Pitrou wrote: >> Furthermore, "disable verification" is a nonsensical thing to do with TLS. > > It's not. For example, if you have an expired cert, all you can do > AFAIK is to disable verification. It's possible to ignore or just warn about expired certs with simple

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Tue, 2 Sep 2014 22:16:18 + (UTC) Alex Gaynor wrote: > > > Furthermore, "disable verification" is a nonsensical thing to do with TLS. > > > > It's not. For example, if you have an expired cert, all you can do > > AFAIK is to disable verification. > > It really is a nonsensical operation, a

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Antoine Pitrou pitrou.net> writes: > > And how many people are using Twisted as an HTTPS client? > (compared to e.g. Python's httplib, and all the third-party libraries > building on it?) > I don't think anyone could give an honest estimate of these counts, however there's two factors to bare

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 1 Sep 2014 16:05, "Nick Coghlan" wrote: > > The final change would be to seed the context factory map > appropriately for the standard library modules where we wanted to keep > the *old* default: > > for modname in ("nntplib", "poplib", "imaplib", "ftplib", > "smtplib", "asyncio.selector_ev

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Tue, 2 Sep 2014 14:00:02 -0700 Glyph Lefkowitz wrote: > > I would strongly recommend against such a mechanism. > > For what it's worth, Twisted simply unconditionally started verifying > certificates in 14.0 with no "disable" switch, and (to my knowledge) > literally no users have complaine

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Aug 29, 2014, at 7:44 PM, Alex Gaynor wrote: > Disabling verification entirely externally to the program, through a CLI flag > or environment variable. I'm pretty down on this idea, the problem you hit is > that it's a pretty blunt instrument to swing, and it's almost impossible to > imagin

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 2 Sep 2014 03:08, "Donald Stufft" wrote: > > >> On Sep 1, 2014, at 1:01 PM, Christian Heimes wrote: >> >> On 01.09.2014 17:35, Nick Coghlan wrote: >>> >>> Oh, now I get what you mean - yes, sitecustomize already poses the same >>> kind of problem as the proposed sslcustomize (hence the existen

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

> On Sep 1, 2014, at 1:01 PM, Christian Heimes wrote: > > On 01.09.2014 17:35, Nick Coghlan wrote: >> Oh, now I get what you mean - yes, sitecustomize already poses the same >> kind of problem as the proposed sslcustomize (hence the existence of the >> related command line options). > > If an a

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 01.09.2014 17:35, Nick Coghlan wrote: > Oh, now I get what you mean - yes, sitecustomize already poses the same > kind of problem as the proposed sslcustomize (hence the existence of the > related command line options). If an attacker is able to place a module like sitecustomize.py in an import

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

> On Sep 1, 2014, at 11:35 AM, Nick Coghlan wrote: > > > On 2 Sep 2014 00:59, "Antoine Pitrou" > wrote: > > > > On Tue, 2 Sep 2014 00:53:11 +1000 > > Nick Coghlan mailto:ncogh...@gmail.com>> wrote: > > > > > > > > To be frank I don't understand what you're arguing a

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 2 Sep 2014 00:59, "Antoine Pitrou" wrote: > > On Tue, 2 Sep 2014 00:53:11 +1000 > Nick Coghlan wrote: > > > > > > To be frank I don't understand what you're arguing about. > > > > When I said "shadowing ssl can be tricky to arrange", Chris correctly > > interpreted it as referring to the files

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Tue, 2 Sep 2014 00:53:11 +1000 Nick Coghlan wrote: > On 2 Sep 2014 00:08, "Antoine Pitrou" wrote: > > > > On Mon, 1 Sep 2014 23:42:10 +1000 > > Chris Angelico wrote: > > > >> > > > >> That has to be done inside the same process. But imagine this > > > >> scenario: You have a program that gets

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 2 Sep 2014 00:08, "Antoine Pitrou" wrote: > > On Mon, 1 Sep 2014 23:42:10 +1000 > Chris Angelico wrote: > > >> > > >> That has to be done inside the same process. But imagine this > > >> scenario: You have a program that gets invoked as root (or some other > > >> user than yourself), and you'r

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Mon, 1 Sep 2014 23:42:10 +1000 Chris Angelico wrote: > On Mon, Sep 1, 2014 at 11:34 PM, Antoine Pitrou wrote: > > On Mon, 1 Sep 2014 23:24:39 +1000 > > Chris Angelico wrote: > >> On Mon, Sep 1, 2014 at 10:41 PM, Antoine Pitrou wrote: > >> > Not sure why. Just put another module named "ssl" i

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Mon, Sep 1, 2014 at 11:34 PM, Antoine Pitrou wrote: > On Mon, 1 Sep 2014 23:24:39 +1000 > Chris Angelico wrote: >> On Mon, Sep 1, 2014 at 10:41 PM, Antoine Pitrou wrote: >> > Not sure why. Just put another module named "ssl" in sys.modules directly. >> > You can also monkeypatch the genuine s

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Mon, 1 Sep 2014 23:24:39 +1000 Chris Angelico wrote: > On Mon, Sep 1, 2014 at 10:41 PM, Antoine Pitrou wrote: > > Not sure why. Just put another module named "ssl" in sys.modules directly. > > You can also monkeypatch the genuine ssl module. > > That has to be done inside the same process. Bu

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Mon, Sep 1, 2014 at 10:41 PM, Antoine Pitrou wrote: > Not sure why. Just put another module named "ssl" in sys.modules directly. > You can also monkeypatch the genuine ssl module. That has to be done inside the same process. But imagine this scenario: You have a program that gets invoked as ro

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Le 01/09/2014 10:09, Nick Coghlan a écrit : > On 1 September 2014 17:13, Christian Heimes wrote: >> On 01.09.2014 08:44, Nick Coghlan wrote: >>> Yes, it would have exactly the same security failure modes as >>> sitecustomize, except it would only fire if the application >>> imported the ssl module

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 1 September 2014 17:13, Christian Heimes wrote: > On 01.09.2014 08:44, Nick Coghlan wrote: >> Yes, it would have exactly the same security failure modes as >> sitecustomize, except it would only fire if the application >> imported the ssl module. >> >> The "-S" and "-I" switches would need to d

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 01.09.2014 08:44, Nick Coghlan wrote: > Yes, it would have exactly the same security failure modes as > sitecustomize, except it would only fire if the application > imported the ssl module. > > The "-S" and "-I" switches would need to disable the implied > "sslcustomize", just as they disabl

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 1 September 2014 16:07, Paul Moore wrote: > On 31 August 2014 23:10, Nick Coghlan wrote: >> Assuming sslcustomize was in site-packages rather than the standard library >> directories, you would also be able to use virtual environments with an >> appropriate sslcustomize module to disable cert

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31 August 2014 23:10, Nick Coghlan wrote: > Assuming sslcustomize was in site-packages rather than the standard library > directories, you would also be able to use virtual environments with an > appropriate sslcustomize module to disable cert checking even if the > application you were running

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 1 September 2014 11:10, R. David Murray wrote: > > It sounds like this would address my concerns as well (I don't really > care *how* it is implemented as long as I don't have to touch the > code of a third party application when I upgrade my python version to > 3.5...remember, the context here

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Mon, 01 Sep 2014 08:10:58 +1000, Nick Coghlan wrote: > On 1 Sep 2014 07:43, "Christian Heimes" wrote: > > > > On 31.08.2014 08:09, Nick Coghlan wrote: > > > As Antoine says here, I'm also opposed to adding more Python specific > > > configuration options. However, I think there may be somethin

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 1 Sep 2014 08:15, "Donald Stufft" wrote: > > >> On Aug 31, 2014, at 5:43 PM, Christian Heimes wrote: >> >> Companies could install them in a system global directory on their >> servers. Users could put them in their own user site directory and even >> each virtual env can have one sslcustomize

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

> On Aug 31, 2014, at 5:43 PM, Christian Heimes wrote: > > On 31.08.2014 08:09, Nick Coghlan wrote: >> As Antoine says here, I'm also opposed to adding more Python specific >> configuration options. However, I think there may be something >> worthwhile we can do that's closer to the way browsers

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 1 Sep 2014 07:43, "Christian Heimes" wrote: > > On 31.08.2014 08:09, Nick Coghlan wrote: > > As Antoine says here, I'm also opposed to adding more Python specific > > configuration options. However, I think there may be something > > worthwhile we can do that's closer to the way browsers work,

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31.08.2014 22:30, Paul Moore wrote: > On 31 August 2014 21:15, Antoine Pitrou wrote: >> What do you call your local cert store? > > I was referring to Christian's comment >> It's very simple to trust a self-signed certificate: just download it and >> stuff it into the trust store. I was refe

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Le 31/08/2014 23:41, Nick Coghlan a écrit : Right, this is why I came to the conclusion we need to follow the browser vendors lead here and support a per-user Python specific supplementary certificate cache before we can start validating certs by default at the *Python* level. There are still too

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31.08.2014 08:09, Nick Coghlan wrote: > As Antoine says here, I'm also opposed to adding more Python specific > configuration options. However, I think there may be something > worthwhile we can do that's closer to the way browsers work, and has > the significant benefit of being implementable a

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 1 Sep 2014 06:32, "Paul Moore" wrote: > > On 31 August 2014 21:15, Antoine Pitrou wrote: > > What do you call your local cert store? > > I was referring to Christian's comment > > It's very simple to trust a self-signed certificate: just download it and stuff it into the trust store. > > From

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31 August 2014 21:15, Antoine Pitrou wrote: > What do you call your local cert store? I was referring to Christian's comment > It's very simple to trust a self-signed certificate: just download it and > stuff it into the trust store. >From his recent response, I guess he meant the system sto

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31.08.2014 19:29, Antoine Pitrou wrote: > You certainly shouldn't do so. If an application has special needs that > require trusting a self-signed certificate, then it should expose a > configuration setting to let users specify the cert's location. Stuffing > self-signed certs into the system t

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Le 31/08/2014 21:12, Paul Moore a écrit : On 31 August 2014 19:37, Antoine Pitrou wrote: Well, it's certainly pip's responsibility more than Python's. What would Python do? Provide a setting that would blindly add a cert for all uses of httplib? That's more or less my point, pip doesn't have

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31 August 2014 19:37, Antoine Pitrou wrote: > Well, it's certainly pip's responsibility more than Python's. What would > Python do? Provide a setting that would blindly add a cert for all uses of > httplib? That's more or less my point, pip doesn't have that much better idea than Python. I was

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Le 31/08/2014 20:28, Paul Moore a écrit : I can't see how that would be something the application would know. For example, pip allows me to specify an "alternate cert bundle" but not a single additional cert. So IIUC, I can't use my local index that serves https using a self-signed cert. I'd fin

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31 August 2014 18:29, Antoine Pitrou wrote: > If an application has special needs that require trusting a self-signed > certificate, then it should expose a configuration setting to let users > specify the cert's location. I can't see how that would be something the application would know. For

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Le 31/08/2014 19:03, Paul Moore a écrit : On 31 August 2014 17:27, Christian Heimes wrote: It's very simple to trust a self-signed certificate: just download it and stuff it into the trust store. "Stuff it into the trust store" is the hard bit, though. I have honestly no idea how to do that.

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31.08.2014 08:24, Nick Coghlan wrote: > To answer David's specific question, the existing knobs at the OpenSSL > level (SSL_CERT_DIR and SSL_CERT_FILE ) let people add an internal CA, > opt out of the default CA system, and trust *specific* self-signed > certs. This works only on Unix platforms

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31 August 2014 17:27, Christian Heimes wrote: > It's very simple to trust a self-signed certificate: just download it > and stuff it into the trust store. "Stuff it into the trust store" is the hard bit, though. I have honestly no idea how to do that. Or if it's temporary (which it likely is)

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31.08.2014 16:16, R. David Murray wrote: > Self -signed certificates are not crazy in an internal corporate > environment even when properly playing the defense in depth game. Once > you've acked the cert the first time, you will be warned if it changes > (like an ssh host key). Sure, as Nick

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Sun, 31 Aug 2014 16:45:42 +1000, Nick Coghlan wrote: > On 31 August 2014 16:16, Donald Stufft wrote: > > > > On Aug 31, 2014, at 2:09 AM, Nick Coghlan wrote: > > > > At the same time, we need to account for the fact that most existing > > organisations still trust in perimeter defence for the

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 30.08.2014 00:22, Antoine Pitrou wrote: > SSL_CERT_DIR and SSL_CERT_FILE are used, if set, when > SSLContext.load_verify_locations() is called. > > Actually, come to think of it, this allows us to write a better > test for that method. Patch welcome! The environment vars are used only when SSL

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31 August 2014 07:45, Nick Coghlan wrote: > There's also the fact that most corporate Python users are > unlikely to know that PyPI exists, let alone that it contains a module > called "requests" that does SSL certificate validation by default. > Those of us in the corporate world that interact

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31 August 2014 16:16, Donald Stufft wrote: > > On Aug 31, 2014, at 2:09 AM, Nick Coghlan wrote: > > At the same time, we need to account for the fact that most existing > organisations still trust in perimeter defence for their internal > network security, and hence tolerate (or even actively

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31 August 2014 12:21, R. David Murray wrote: > Do those knobs allow one to instruct urllib to accept an invalid > certificate without changing the program code? My first reply ended up being a context dump of the challenges created by legacy corporate intranets that may not be immediately obvi

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

> On Aug 31, 2014, at 2:09 AM, Nick Coghlan wrote: > > At the same time, we need to account for the fact that most existing > organisations still trust in perimeter defence for their internal > network security, and hence tolerate (or even actively encourage) the > use of unsecured connections,

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31 August 2014 12:21, R. David Murray wrote: > On Sun, 31 Aug 2014 03:25:25 +0200, Antoine Pitrou > wrote: >> On Sun, 31 Aug 2014 09:26:30 +1000 >> Nick Coghlan wrote: >> > In relation to changing the Python CLI API to offer some of the wget/curl >> > style command line options, I like the i

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

mar...@v.loewis.de writes: > BTW, it's patented: > > http://www.google.de/patents/US6816900 Damn them. I hope they never get a look at my crontab. ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-d

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Sun, 31 Aug 2014 03:25:25 +0200, Antoine Pitrou wrote: > On Sun, 31 Aug 2014 09:26:30 +1000 > Nick Coghlan wrote: > > >> > > >> * configuration: > > >> > > >> It would be good to be able to switch this on or off > > >> without having to change the code, e.g. via a command > > >>

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Sun, 31 Aug 2014 09:26:30 +1000 Nick Coghlan wrote: > >> > >> * configuration: > >> > >> It would be good to be able to switch this on or off > >> without having to change the code, e.g. via a command > >> line switch and environment variable; perhaps even > >> controlling whe

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 30 Aug 2014 06:08, "Ethan Furman" wrote: > > On 08/29/2014 01:00 PM, M.-A. Lemburg wrote: >> >> On 29.08.2014 21:47, Alex Gaynor wrote: >>> >>> >>> I've just submitted PEP 476, on enabling certificate validation by default for >>> HTTPS clients in Python. Please have a look and let me know what

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Zitat von Christian Heimes : On 30.08.2014 17:22, Alex Gaynor wrote: The Windows certificate store is used by ``load_default_certs``: * https://github.com/python/cpython/blob/master/Lib/ssl.py#L379-L381 * https://docs.python.org/3.4/library/ssl.html#ssl.enum_certificates The Windows part of

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 30.08.2014 17:22, Alex Gaynor wrote: > The Windows certificate store is used by ``load_default_certs``: > > * https://github.com/python/cpython/blob/master/Lib/ssl.py#L379-L381 > * https://docs.python.org/3.4/library/ssl.html#ssl.enum_certificates The Windows part of load_default_certs() has o

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Aug 30, 2014, at 12:19 PM, M.-A. Lemburg wrote: >The reasoning here is the same as for hash randomization. There >are cases where you want to test your application using self-signed >certificates which don't validate against the system CA root list. > >In those cases, you do know what you're do

  1   2   >