Le 31/08/2014 19:03, Paul Moore a écrit :
On 31 August 2014 17:27, Christian Heimes <christ...@python.org> wrote:
It's very simple to trust a self-signed certificate: just download it
and stuff it into the trust store.
"Stuff it into the trust store" is the hard bit, though. I have
honestly no idea how to do that.
You certainly shouldn't do so. If an application has special needs that
require trusting a self-signed certificate, then it should expose a
configuration setting to let users specify the cert's location. Stuffing
self-signed certs into the system trust store is really a measure of
last resort.
There's another case which isn't solved by this, though, which is when a
cert is invalid. The common situation being that it has expired
(renewing certs is a PITA and therefore expired certs are more common
than it sounds they should be). In this case, there is no way to
whitelist it: you have to disable certificate checking altogether. This
can be exposed by the application as configuration option if necessary,
as well.
Regards
Antoine.
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
