On Sat, 30 Aug 2014 12:46:47 +0200 "M.-A. Lemburg" <m...@egenix.com> wrote: > The change is to the OpenSSL API, not the OpenSSL lib. By setting > the variable you enable a few special calls to the config loader > functions in OpenSSL when calling the initializer it: > > https://www.openssl.org/docs/crypto/OPENSSL_config.html
Ah, ok. Do you have experience with openssl.cnf? Apparently, it is meant for offline tools such as certificate generation, I am not sure how it could impact certification validation. > > That use case should be served with the SSL_CERT_DIR and SSL_CERT_FILE > > env vars (or, better, by specific settings *inside* the application). > > > > I'm against multiplying environment variables, as it makes it more > > difficult to assess the actual security of a setting. The danger of an > > ill-secure setting is much more severe than with hash randomization. > > You have a point there. So how about just a python run-time switch > and no env var ? Well, why not, but does it have a value over letting the code properly configure their SSLContext? Regards Antoine. _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com