On 14 August 2016 at 09:14, Benjamin Peterson <benja...@python.org> wrote: > Correctness of TLS certificate verification is known to depend deeply on > distribution. Python began to verify certificates by default only in in > version 2.7.9. Many OS distributions (in particular, Ubuntu) did not > enable verification for their stable distributions for backwards > compatibility reasons. You might find looking at distro bugs for > CVE-2014-9365 edifying.
For RHEL (and hence CentOS), https://access.redhat.com/articles/2039753 summarises the current status. Since the system Python in RHEL 7.x is nominally Python 2.7.5, the default behaviour reflects that. However, both PEP 466 and PEP 476 have been backported (as of RHEL 7.2 and the corresponding CentOS release), so requests picks up the new capabilities implicitly, while the standard library can be configured for default verification by writing: [https] verify=enable to /etc/python/cert-verification.cfg Since folks are now able to force verification *off* via that same configuration file mechanism, we've also reserved the right to eventually change the default Python standard library behaviour on a fresh RHEL 7 installation to be to verify certificates. Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
