On Aug 30, 2014, at 12:19 PM, M.-A. Lemburg wrote: >The reasoning here is the same as for hash randomization. There >are cases where you want to test your application using self-signed >certificates which don't validate against the system CA root list. > >In those cases, you do know what you're doing. The test would fail >otherwise and the reason is not a bug in your code, it's just >the fact that the environment you're running it in is a test >environment.
Exactly. I have test cases where I have to load up a self-signed cert via .load_cert_chain() and in the good-path tests, I expect to make successful https connections. I also have test cases that expect to fail when: * I load bogus self-signed certs * I have an http server masquerading as an https server * I load an expired self-signed cert It certainly makes sense for the default to be the most secure, but other use cases must be preserved. Cheers, -Barry _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com