[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Antoine Pitrou added the comment: http.client and urllib.request are already done (*), and imaplib is covered in issue10274. (*) http://docs.python.org/dev/library/http.client.html http://docs.python.org/dev/library/urllib.request.html Do you have other modules in mind or should I close this

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Changes by Éric Araujo : -- nosy: +eric.araujo ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.pyth

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

david added the comment: Sorry, I don't remember seeing the change-set /commit showing that is now on by default. (for those modules). -- ___ Python tracker ___ ___

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

david added the comment: Are you referring to http://code.python.org/hg/branches/py3k/rev/86f97255bfc8 where there is now " 2.29 + .. warning:: 2.30 + If neither *cafile* nor *capath* is specified, an HTTPS request 2.31 + will not do any verification of the server's cer

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Antoine Pitrou added the comment: > Are you referring to > http://code.python.org/hg/branches/py3k/rev/86f97255bfc8 > > where there is now > " > 2.29 + .. warning:: > 2.30 + If neither *cafile* nor *capath* is specified, an HTTPS > request > 2.31 + will not do any veri

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

david added the comment: Well, what are the usual paths for windows and linux? Just try those(by default) and if this fails (no ca's paths work) then raise an exception and have a parameter to disable this behaviour. -- ___ Python tracker

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Antoine Pitrou added the comment: > Well, what are the usual paths for windows and linux? > Just try those(by default) and if this fails (no ca's paths work) then > raise an exception and have a parameter to disable this behaviour. That's a possible resolution, but it needs a patch. --

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Antoine Pitrou added the comment: Actually, it seems OpenSSL is often built with the paths to system certificates, which can be enabled by an undocumented function. See issue10443. -- ___ Python tracker _

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

david added the comment: Interesting but you may want to ask the openssl developers about this first. -- ___ Python tracker ___ ___ P

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Martin v. Löwis added the comment: db: there *is* no "sane system ca path", or Python would have done that long ago. On Windows, it may be possible to drop OpenSSL, and use the system certificate store. However, that would be a major rewrite, and it may not be possible to provide the entire A

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Antoine Pitrou added the comment: > The best that could be done is to provide a configuration option (e.g. > global variable) that should be treated as a default value, and then > leave it to people distributing Python to fill out this variable in a > sensible way. Actually, OpenSSL already doe

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Martin v. Löwis added the comment: >> The best that could be done is to provide a configuration option (e.g. >> global variable) that should be treated as a default value, and then >> leave it to people distributing Python to fill out this variable in a >> sensible way. > > Actually, OpenSSL al

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

david added the comment: On 19 November 2010 03:18, Martin v. Löwis wrote: > > Martin v. Löwis added the comment: > >>> The best that could be done is to provide a configuration option (e.g. >>> global variable) that should be treated as a default value, and then >>> leave it to people distrib

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Antoine Pitrou added the comment: > > This may not be satisfying to users. For example, our Windows > > distribution doesn't ship with any certicates (AFAIK); I have no > > clue where exactly OpenSSL would be looking for them, either. > > People worried about this problem probably would want a w

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

david added the comment: On 19 November 2010 03:48, Antoine Pitrou wrote: > > Antoine Pitrou added the comment: > >> > This may not be satisfying to users. For example, our Windows >> > distribution doesn't ship with any certicates (AFAIK); I have no >> > clue where exactly OpenSSL would be lo

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Martin v. Löwis added the comment: >> This may not be satisfying to users. For example, our Windows >> distribution doesn't ship with any certicates (AFAIK); I have no >> clue where exactly OpenSSL would be looking for them, either. >> People worried about this problem probably would want a way

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

david added the comment: On 19 November 2010 04:40, Martin v. Löwis wrote: > > Martin v. Löwis added the comment: > >>> This may not be satisfying to users. For example, our Windows >>> distribution doesn't ship with any certicates (AFAIK); I have no >>> clue where exactly OpenSSL would be loo

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Antoine Pitrou added the comment: Martin, > You misunderstood. I was not proposing that scripts provide a CA > list, but that users might deploy a CA list into their Python > installation, which is then picked up in the same way as you are asking > for on Ubuntu. Could you elaborate on what ki

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

david added the comment: On 21 November 2010 09:27, Antoine Pitrou wrote: > > Antoine Pitrou added the comment: > > Martin, > >> You misunderstood. I was not proposing that scripts provide a CA >> list, but that users might deploy a CA list into their Python >> installation, which is then pick

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Martin v. Löwis added the comment: Antoine, I was proposing that the Windows installation should have a folder where OpenSSL looks for certificates, and that users put trusted certificates into that folder. These should be the ones that set_default_verify_paths will use. Unfortunately, I don

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

david added the comment: Back to the main issue here : So for python3 is it possible to make attempting to use capath(some common ones OR the openssl location capath if this is ok for use) the default(with failure to find a valid capath result in an exception being raised) ? Obviously if cafil

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Martin v. Löwis added the comment: > So for python3 is it possible to make attempting to use capath(some > common ones OR the openssl location capath if this is ok for use) the > default(with failure to find a valid capath result in an exception > being raised) ? The default? That would be an i

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

david added the comment: On 21 November 2010 20:50, Martin v. Löwis wrote: > > Martin v. Löwis added the comment: > >> So for python3 is it possible to make attempting to use capath(some >> common ones OR the openssl location capath if this is ok for use) the >> default(with failure to find a

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Antoine Pitrou added the comment: > > Having applications/scripts explicitly opt-in to a default CA > > certificate list would be an option (then making those applications > > break in installations where the default CA list is empty). > > "Errors should never pass silently." > IMHO it is an er

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

david added the comment: Fine. So if not in the ssl module what about for urllib etc.? -- ___ Python tracker ___ ___ Python-bugs-list

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Antoine Pitrou added the comment: > Fine. > So if not in the ssl module what about for urllib etc.? The same answer really... We can't change default settings without breaking compatibility. -- ___ Python tracker

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Changes by Antoine Pitrou : -- nosy: -db ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.or

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

david added the comment: So please close this bug. Apparently making things secure by default is to much to ask. -- ___ Python tracker ___ __

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Changes by david : -- resolution: -> rejected status: open -> closed ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubsc

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Changes by Antoine Pitrou : -- resolution: rejected -> stage: needs patch -> status: closed -> open ___ Python tracker ___ ___ Pytho

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Martin v. Löwis added the comment: Here is a patch that changes SSLContext into a context manager, allowing to write code like with ssl.SSLContext(ssl.PROTOCOL_SSLv23): ssl.SSLContext.current().set_default_verify_path() res = urllib.request.urlopen("https://www.microsoft.co

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Changes by Senthil Kumaran : -- nosy: +orsenthil ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.py

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

david added the comment: Thank you @loewis. However, I don't see where set_default_verify_path - is defined in the patch you have provided. It would also be nice to do something like this: import ssl ... ssl._FORCE_VERIFICATION = True and even better would be to determine the CA path as @pitr

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Martin v. Löwis added the comment: > Thank you @loewis. However, I don't see where > set_default_verify_path - is defined in the patch you have provided. It's not defined in the patch, as it is already committed to Python. -- title: some stdlib modules need to be updated to handle SSL

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

david added the comment: and what does it do ? -- title: some stdlib modules need to be updated to handle SSL certificate validation -> some stdlib modules need to be updated to handle SSL certificate validation ___ Python tracker

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Éric Araujo added the comment: We tend to spend some time on documentation: http://docs.python.org/dev/library/ssl#ssl.SSLContext.set_default_verify_paths -- ___ Python tracker ___

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

david added the comment: Cool yeah. The documentation is good I asked the question because I wasn't sure if it was in a pending patch elsewhere in the bug tracker or was accepted. I guess I should have googled for it. Thank you. -- ___ Python tracke

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Nicolas Bareil added the comment: Hello, Your patch about SSLContext is great! But what can we do about python 2.x? I understand that we have to keep backward compatibility but something has to be done for improving current situation, even Paypal API (*) recommends using urllib.urlopen() to

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Martin v. Löwis added the comment: > Your patch about SSLContext is great! But what can we do about python 2.x? Adding new features to Python 2.7 is certainly not an option. > what do you think about a DeprecationWarning at runtime? What API exactly should this deprecate? -- title: s

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Nicolas Bareil added the comment: Martin v. Löwis writes: >> what do you think about a DeprecationWarning at runtime? > > What API exactly should this deprecate? Ooops, lapsus. I was thinking about a RuntimeWarning raised on HTTPS request (in httplib.HTTPSConnection.connect for instance). ---

[issue10441] some stdlib modules need to be updated to handle SSL certificate validation

Changes by Florian Weimer : -- nosy: +fweimer ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.pytho