[Python-Dev] PEP 476: Enabling certificate validation by default!

Hi all, I've just submitted PEP 476, on enabling certificate validation by default for HTTPS clients in Python. Please have a look and let me know what you think. PEP text follows. Alex --- PEP: 476 Title: Enabling certificate verification by default for stdlib http clients Version: $Revision

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 29.08.2014 21:47, Alex Gaynor wrote: > Hi all, > > I've just submitted PEP 476, on enabling certificate validation by default for > HTTPS clients in Python. Please have a look and let me know what you think. > > PEP text follows. Thanks for the PEP. I think this is generally a good idea, but

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Alex Gaynor gmail.com> writes: > > Hi all, > > I've just submitted PEP 476, on enabling certificate validation by default for > HTTPS clients in Python. Please have a look and let me know what you think. Yes please. The two most commons answers I get to "Why did you switch to go?" are "Concu

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 08/29/2014 01:00 PM, M.-A. Lemburg wrote: On 29.08.2014 21:47, Alex Gaynor wrote: I've just submitted PEP 476, on enabling certificate validation by default for HTTPS clients in Python. Please have a look and let me know what you think. Thanks for the PEP. I think this is generally a good

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

> On Aug 29, 2014, at 4:00 PM, "M.-A. Lemburg" wrote: > > * choice of trusted certificate: > > Instead of hard wiring using the system CA roots into > Python it would be good to just make this default and > permit the user to point Python to a different set of > CA roots. > > This w

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Sorry I was on my phone and didn’t get to fully reply to this. > On Aug 29, 2014, at 4:00 PM, M.-A. Lemburg wrote: > > On 29.08.2014 21:47, Alex Gaynor wrote: >> Hi all, >> >> I've just submitted PEP 476, on enabling certificate validation by default >> for >> HTTPS clients in Python. Please

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Fri, 29 Aug 2014 17:11:35 -0400, Donald Stufft wrote: > Sorry I was on my phone and didn’t get to fully reply to this. > > On Aug 29, 2014, at 4:00 PM, M.-A. Lemburg wrote: > > > > * configuration: > > > > It would be good to be able to switch this on or off > > without having to chang

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Fri, 29 Aug 2014 17:11:35 -0400 Donald Stufft wrote: > > Another problem with this is that I don’t think it’s actually > possible to do. Python itself isn’t validating the TLS certificates, > OpenSSL is doing that. To my knowledge OpenSSL doesn’t > have a way to say “please validate these cert

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 29.08.2014 23:11, Donald Stufft wrote: > > Sorry I was on my phone and didn’t get to fully reply to this. > >> On Aug 29, 2014, at 4:00 PM, M.-A. Lemburg wrote: >> >> On 29.08.2014 21:47, Alex Gaynor wrote: >>> Hi all, >>> >>> I've just submitted PEP 476, on enabling certificate validation by

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Fri, 29 Aug 2014 17:42:34 -0400 "R. David Murray" wrote: > > Especially if you want an accelerated change, there must be a way to > *easily* get back to the previous behavior, or we are going to catch a > lot of flack. There may be only 7% of public certs that are problematic, > but I'd be wi

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

> On Aug 29, 2014, at 5:42 PM, R. David Murray wrote: > > On Fri, 29 Aug 2014 17:11:35 -0400, Donald Stufft wrote: >> Sorry I was on my phone and didn’t get to fully reply to this. >>> On Aug 29, 2014, at 4:00 PM, M.-A. Lemburg wrote: >>> >>> * configuration: >>> >>> It would be good to be

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

> On Aug 29, 2014, at 5:58 PM, M.-A. Lemburg wrote: > > On 29.08.2014 23:11, Donald Stufft wrote: >> >> Sorry I was on my phone and didn’t get to fully reply to this. >> >>> On Aug 29, 2014, at 4:00 PM, M.-A. Lemburg wrote: >>> >>> On 29.08.2014 21:47, Alex Gaynor wrote: Hi all, >

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Fri, 29 Aug 2014 18:08:19 -0400 Donald Stufft wrote: > > > > Are you sure that's possible ? Python doesn't load the > > openssl.cnf file and the SSL_CERT_FILE, SSL_CERT_DIR env > > vars only work for the openssl command line binary, AFAIK. > > I’m not 100% sure on that. I know they are not li

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Fri, 29 Aug 2014 18:00:50 -0400, Donald Stufft wrote: > > On Aug 29, 2014, at 5:42 PM, R. David Murray wrote: > > Especially if you want an accelerated change, there must be a way to > > *easily* get back to the previous behavior, or we are going to catch a > > lot of flack. There may be onl

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Thanks for the rapid feedback everyone! I want to summarize the action items and discussion points that have come up so far: To add to the PEP: * Emit a warning in 3.4.next for cases that would raise a Exception in 3.5 * Clearly state that the existing OpenSSL environment variables will be res

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 30.08.2014 04:44, Alex Gaynor wrote: > Thanks for the rapid feedback everyone! > > I want to summarize the action items and discussion points that have come up > so > far: > > To add to the PEP: > > * Emit a warning in 3.4.next for cases that would raise a Exception in 3.5 > * Clearly state

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Sat, 30 Aug 2014 12:19:11 +0200 "M.-A. Lemburg" wrote: > > To add to the PEP: > > > > * Emit a warning in 3.4.next for cases that would raise a Exception in 3.5 > > * Clearly state that the existing OpenSSL environment variables will be > > respected for setting the trust root > > I'd also

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 30.08.2014 12:40, Antoine Pitrou wrote: > On Sat, 30 Aug 2014 12:19:11 +0200 > "M.-A. Lemburg" wrote: >>> To add to the PEP: >>> >>> * Emit a warning in 3.4.next for cases that would raise a Exception in 3.5 >>> * Clearly state that the existing OpenSSL environment variables will be >>> respe

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

30 August 2014 03:44, Alex Gaynor wrote: > Discussion points: > > * Disabling verification entirely externally to the program, through a CLI > flag > or environment variable. I'm pretty down on this idea, the problem you hit > is > that it's a pretty blunt instrument to swing, and it's almo

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Sat, 30 Aug 2014 12:46:47 +0200 "M.-A. Lemburg" wrote: > The change is to the OpenSSL API, not the OpenSSL lib. By setting > the variable you enable a few special calls to the config loader > functions in OpenSSL when calling the initializer it: > > https://www.openssl.org/docs/crypto/OPENSSL_

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 30.08.2014 12:55, Antoine Pitrou wrote: > On Sat, 30 Aug 2014 12:46:47 +0200 > "M.-A. Lemburg" wrote: >> The change is to the OpenSSL API, not the OpenSSL lib. By setting >> the variable you enable a few special calls to the config loader >> functions in OpenSSL when calling the initializer it:

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Sat, 30 Aug 2014 14:03:57 +0200, "M.-A. Lemburg" wrote: > On 30.08.2014 12:55, Antoine Pitrou wrote: > > On Sat, 30 Aug 2014 12:46:47 +0200 > > "M.-A. Lemburg" wrote: > >>> That use case should be served with the SSL_CERT_DIR and SSL_CERT_FILE > >>> env vars (or, better, by specific settings *

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 30.08.2014 15:32, R. David Murray wrote: > On Sat, 30 Aug 2014 14:03:57 +0200, "M.-A. Lemburg" wrote: >> On 30.08.2014 12:55, Antoine Pitrou wrote: >>> On Sat, 30 Aug 2014 12:46:47 +0200 >>> "M.-A. Lemburg" wrote: > That use case should be served with the SSL_CERT_DIR and SSL_CERT_FILE >>>

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

From: R. David Murray<mailto:rdmur...@bitdance.com> Sent: ‎8/‎30/‎2014 6:33 To: python-dev@python.org<mailto:python-dev@python.org> Subject: Re: [Python-Dev] PEP 476: Enabling certificate validation by default! On Sat, 30 Aug 2014 14:03:57 +0200, "M.-A. Lemburg" wrote: >

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

The Windows certificate store is used by ``load_default_certs``: * https://github.com/python/cpython/blob/master/Lib/ssl.py#L379-L381 * https://docs.python.org/3.4/library/ssl.html#ssl.enum_certificates Cheers, Alex ___ Python-Dev mailing list Python-D

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 30 August 2014 16:22, Alex Gaynor wrote: > The Windows certificate store is used by ``load_default_certs` Cool, in which case this sounds like a good plan. I have no particular opinion on whether there should be a global Python-level "don't check certificates" option, but I would suggest that

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Paul Moore : > Cool, in which case this sounds like a good plan. I have no particular > opinion on whether there should be a global Python-level "don't check > certificates" option, but I would suggest that the docs include a > section explaining how a user can implement a > "--no-check-certificat

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Aug 30, 2014, at 12:19 PM, M.-A. Lemburg wrote: >The reasoning here is the same as for hash randomization. There >are cases where you want to test your application using self-signed >certificates which don't validate against the system CA root list. > >In those cases, you do know what you're do

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 30.08.2014 17:22, Alex Gaynor wrote: > The Windows certificate store is used by ``load_default_certs``: > > * https://github.com/python/cpython/blob/master/Lib/ssl.py#L379-L381 > * https://docs.python.org/3.4/library/ssl.html#ssl.enum_certificates The Windows part of load_default_certs() has o

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Zitat von Christian Heimes : On 30.08.2014 17:22, Alex Gaynor wrote: The Windows certificate store is used by ``load_default_certs``: * https://github.com/python/cpython/blob/master/Lib/ssl.py#L379-L381 * https://docs.python.org/3.4/library/ssl.html#ssl.enum_certificates The Windows part of

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 30 Aug 2014 06:08, "Ethan Furman" wrote: > > On 08/29/2014 01:00 PM, M.-A. Lemburg wrote: >> >> On 29.08.2014 21:47, Alex Gaynor wrote: >>> >>> >>> I've just submitted PEP 476, on enabling certificate validation by default for >>> HTTPS clients in Python. Please have a look and let me know what

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Sun, 31 Aug 2014 09:26:30 +1000 Nick Coghlan wrote: > >> > >> * configuration: > >> > >> It would be good to be able to switch this on or off > >> without having to change the code, e.g. via a command > >> line switch and environment variable; perhaps even > >> controlling whe

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Sun, 31 Aug 2014 03:25:25 +0200, Antoine Pitrou wrote: > On Sun, 31 Aug 2014 09:26:30 +1000 > Nick Coghlan wrote: > > >> > > >> * configuration: > > >> > > >> It would be good to be able to switch this on or off > > >> without having to change the code, e.g. via a command > > >>

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

mar...@v.loewis.de writes: > BTW, it's patented: > > http://www.google.de/patents/US6816900 Damn them. I hope they never get a look at my crontab. ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-d

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31 August 2014 12:21, R. David Murray wrote: > On Sun, 31 Aug 2014 03:25:25 +0200, Antoine Pitrou > wrote: >> On Sun, 31 Aug 2014 09:26:30 +1000 >> Nick Coghlan wrote: >> > In relation to changing the Python CLI API to offer some of the wget/curl >> > style command line options, I like the i

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

> On Aug 31, 2014, at 2:09 AM, Nick Coghlan wrote: > > At the same time, we need to account for the fact that most existing > organisations still trust in perimeter defence for their internal > network security, and hence tolerate (or even actively encourage) the > use of unsecured connections,

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31 August 2014 12:21, R. David Murray wrote: > Do those knobs allow one to instruct urllib to accept an invalid > certificate without changing the program code? My first reply ended up being a context dump of the challenges created by legacy corporate intranets that may not be immediately obvi

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31 August 2014 16:16, Donald Stufft wrote: > > On Aug 31, 2014, at 2:09 AM, Nick Coghlan wrote: > > At the same time, we need to account for the fact that most existing > organisations still trust in perimeter defence for their internal > network security, and hence tolerate (or even actively

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31 August 2014 07:45, Nick Coghlan wrote: > There's also the fact that most corporate Python users are > unlikely to know that PyPI exists, let alone that it contains a module > called "requests" that does SSL certificate validation by default. > Those of us in the corporate world that interact

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 30.08.2014 00:22, Antoine Pitrou wrote: > SSL_CERT_DIR and SSL_CERT_FILE are used, if set, when > SSLContext.load_verify_locations() is called. > > Actually, come to think of it, this allows us to write a better > test for that method. Patch welcome! The environment vars are used only when SSL

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Sun, 31 Aug 2014 16:45:42 +1000, Nick Coghlan wrote: > On 31 August 2014 16:16, Donald Stufft wrote: > > > > On Aug 31, 2014, at 2:09 AM, Nick Coghlan wrote: > > > > At the same time, we need to account for the fact that most existing > > organisations still trust in perimeter defence for the

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31.08.2014 16:16, R. David Murray wrote: > Self -signed certificates are not crazy in an internal corporate > environment even when properly playing the defense in depth game. Once > you've acked the cert the first time, you will be warned if it changes > (like an ssh host key). Sure, as Nick

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31 August 2014 17:27, Christian Heimes wrote: > It's very simple to trust a self-signed certificate: just download it > and stuff it into the trust store. "Stuff it into the trust store" is the hard bit, though. I have honestly no idea how to do that. Or if it's temporary (which it likely is)

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31.08.2014 08:24, Nick Coghlan wrote: > To answer David's specific question, the existing knobs at the OpenSSL > level (SSL_CERT_DIR and SSL_CERT_FILE ) let people add an internal CA, > opt out of the default CA system, and trust *specific* self-signed > certs. This works only on Unix platforms

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Le 31/08/2014 19:03, Paul Moore a écrit : On 31 August 2014 17:27, Christian Heimes wrote: It's very simple to trust a self-signed certificate: just download it and stuff it into the trust store. "Stuff it into the trust store" is the hard bit, though. I have honestly no idea how to do that.

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31 August 2014 18:29, Antoine Pitrou wrote: > If an application has special needs that require trusting a self-signed > certificate, then it should expose a configuration setting to let users > specify the cert's location. I can't see how that would be something the application would know. For

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Le 31/08/2014 20:28, Paul Moore a écrit : I can't see how that would be something the application would know. For example, pip allows me to specify an "alternate cert bundle" but not a single additional cert. So IIUC, I can't use my local index that serves https using a self-signed cert. I'd fin

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31 August 2014 19:37, Antoine Pitrou wrote: > Well, it's certainly pip's responsibility more than Python's. What would > Python do? Provide a setting that would blindly add a cert for all uses of > httplib? That's more or less my point, pip doesn't have that much better idea than Python. I was

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Le 31/08/2014 21:12, Paul Moore a écrit : On 31 August 2014 19:37, Antoine Pitrou wrote: Well, it's certainly pip's responsibility more than Python's. What would Python do? Provide a setting that would blindly add a cert for all uses of httplib? That's more or less my point, pip doesn't have

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31.08.2014 19:29, Antoine Pitrou wrote: > You certainly shouldn't do so. If an application has special needs that > require trusting a self-signed certificate, then it should expose a > configuration setting to let users specify the cert's location. Stuffing > self-signed certs into the system t

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31 August 2014 21:15, Antoine Pitrou wrote: > What do you call your local cert store? I was referring to Christian's comment > It's very simple to trust a self-signed certificate: just download it and > stuff it into the trust store. >From his recent response, I guess he meant the system sto

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 1 Sep 2014 06:32, "Paul Moore" wrote: > > On 31 August 2014 21:15, Antoine Pitrou wrote: > > What do you call your local cert store? > > I was referring to Christian's comment > > It's very simple to trust a self-signed certificate: just download it and stuff it into the trust store. > > From

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31.08.2014 08:09, Nick Coghlan wrote: > As Antoine says here, I'm also opposed to adding more Python specific > configuration options. However, I think there may be something > worthwhile we can do that's closer to the way browsers work, and has > the significant benefit of being implementable a

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Le 31/08/2014 23:41, Nick Coghlan a écrit : Right, this is why I came to the conclusion we need to follow the browser vendors lead here and support a per-user Python specific supplementary certificate cache before we can start validating certs by default at the *Python* level. There are still too

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31.08.2014 22:30, Paul Moore wrote: > On 31 August 2014 21:15, Antoine Pitrou wrote: >> What do you call your local cert store? > > I was referring to Christian's comment >> It's very simple to trust a self-signed certificate: just download it and >> stuff it into the trust store. I was refe

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 1 Sep 2014 07:43, "Christian Heimes" wrote: > > On 31.08.2014 08:09, Nick Coghlan wrote: > > As Antoine says here, I'm also opposed to adding more Python specific > > configuration options. However, I think there may be something > > worthwhile we can do that's closer to the way browsers work,

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

> On Aug 31, 2014, at 5:43 PM, Christian Heimes wrote: > > On 31.08.2014 08:09, Nick Coghlan wrote: >> As Antoine says here, I'm also opposed to adding more Python specific >> configuration options. However, I think there may be something >> worthwhile we can do that's closer to the way browsers

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 1 Sep 2014 08:15, "Donald Stufft" wrote: > > >> On Aug 31, 2014, at 5:43 PM, Christian Heimes wrote: >> >> Companies could install them in a system global directory on their >> servers. Users could put them in their own user site directory and even >> each virtual env can have one sslcustomize

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Mon, 01 Sep 2014 08:10:58 +1000, Nick Coghlan wrote: > On 1 Sep 2014 07:43, "Christian Heimes" wrote: > > > > On 31.08.2014 08:09, Nick Coghlan wrote: > > > As Antoine says here, I'm also opposed to adding more Python specific > > > configuration options. However, I think there may be somethin

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 1 September 2014 11:10, R. David Murray wrote: > > It sounds like this would address my concerns as well (I don't really > care *how* it is implemented as long as I don't have to touch the > code of a third party application when I upgrade my python version to > 3.5...remember, the context here

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 31 August 2014 23:10, Nick Coghlan wrote: > Assuming sslcustomize was in site-packages rather than the standard library > directories, you would also be able to use virtual environments with an > appropriate sslcustomize module to disable cert checking even if the > application you were running

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 1 September 2014 16:07, Paul Moore wrote: > On 31 August 2014 23:10, Nick Coghlan wrote: >> Assuming sslcustomize was in site-packages rather than the standard library >> directories, you would also be able to use virtual environments with an >> appropriate sslcustomize module to disable cert

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 01.09.2014 08:44, Nick Coghlan wrote: > Yes, it would have exactly the same security failure modes as > sitecustomize, except it would only fire if the application > imported the ssl module. > > The "-S" and "-I" switches would need to disable the implied > "sslcustomize", just as they disabl

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 1 September 2014 17:13, Christian Heimes wrote: > On 01.09.2014 08:44, Nick Coghlan wrote: >> Yes, it would have exactly the same security failure modes as >> sitecustomize, except it would only fire if the application >> imported the ssl module. >> >> The "-S" and "-I" switches would need to d

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Le 01/09/2014 10:09, Nick Coghlan a écrit : > On 1 September 2014 17:13, Christian Heimes wrote: >> On 01.09.2014 08:44, Nick Coghlan wrote: >>> Yes, it would have exactly the same security failure modes as >>> sitecustomize, except it would only fire if the application >>> imported the ssl module

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Mon, Sep 1, 2014 at 10:41 PM, Antoine Pitrou wrote: > Not sure why. Just put another module named "ssl" in sys.modules directly. > You can also monkeypatch the genuine ssl module. That has to be done inside the same process. But imagine this scenario: You have a program that gets invoked as ro

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Mon, 1 Sep 2014 23:24:39 +1000 Chris Angelico wrote: > On Mon, Sep 1, 2014 at 10:41 PM, Antoine Pitrou wrote: > > Not sure why. Just put another module named "ssl" in sys.modules directly. > > You can also monkeypatch the genuine ssl module. > > That has to be done inside the same process. Bu

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Mon, Sep 1, 2014 at 11:34 PM, Antoine Pitrou wrote: > On Mon, 1 Sep 2014 23:24:39 +1000 > Chris Angelico wrote: >> On Mon, Sep 1, 2014 at 10:41 PM, Antoine Pitrou wrote: >> > Not sure why. Just put another module named "ssl" in sys.modules directly. >> > You can also monkeypatch the genuine s

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Mon, 1 Sep 2014 23:42:10 +1000 Chris Angelico wrote: > On Mon, Sep 1, 2014 at 11:34 PM, Antoine Pitrou wrote: > > On Mon, 1 Sep 2014 23:24:39 +1000 > > Chris Angelico wrote: > >> On Mon, Sep 1, 2014 at 10:41 PM, Antoine Pitrou wrote: > >> > Not sure why. Just put another module named "ssl" i

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 2 Sep 2014 00:08, "Antoine Pitrou" wrote: > > On Mon, 1 Sep 2014 23:42:10 +1000 > Chris Angelico wrote: > > >> > > >> That has to be done inside the same process. But imagine this > > >> scenario: You have a program that gets invoked as root (or some other > > >> user than yourself), and you'r

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Tue, 2 Sep 2014 00:53:11 +1000 Nick Coghlan wrote: > On 2 Sep 2014 00:08, "Antoine Pitrou" wrote: > > > > On Mon, 1 Sep 2014 23:42:10 +1000 > > Chris Angelico wrote: > > > >> > > > >> That has to be done inside the same process. But imagine this > > > >> scenario: You have a program that gets

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 2 Sep 2014 00:59, "Antoine Pitrou" wrote: > > On Tue, 2 Sep 2014 00:53:11 +1000 > Nick Coghlan wrote: > > > > > > To be frank I don't understand what you're arguing about. > > > > When I said "shadowing ssl can be tricky to arrange", Chris correctly > > interpreted it as referring to the files

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

> On Sep 1, 2014, at 11:35 AM, Nick Coghlan wrote: > > > On 2 Sep 2014 00:59, "Antoine Pitrou" > wrote: > > > > On Tue, 2 Sep 2014 00:53:11 +1000 > > Nick Coghlan mailto:ncogh...@gmail.com>> wrote: > > > > > > > > To be frank I don't understand what you're arguing a

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 01.09.2014 17:35, Nick Coghlan wrote: > Oh, now I get what you mean - yes, sitecustomize already poses the same > kind of problem as the proposed sslcustomize (hence the existence of the > related command line options). If an attacker is able to place a module like sitecustomize.py in an import

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

> On Sep 1, 2014, at 1:01 PM, Christian Heimes wrote: > > On 01.09.2014 17:35, Nick Coghlan wrote: >> Oh, now I get what you mean - yes, sitecustomize already poses the same >> kind of problem as the proposed sslcustomize (hence the existence of the >> related command line options). > > If an a

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 2 Sep 2014 03:08, "Donald Stufft" wrote: > > >> On Sep 1, 2014, at 1:01 PM, Christian Heimes wrote: >> >> On 01.09.2014 17:35, Nick Coghlan wrote: >>> >>> Oh, now I get what you mean - yes, sitecustomize already poses the same >>> kind of problem as the proposed sslcustomize (hence the existen

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Aug 29, 2014, at 7:44 PM, Alex Gaynor wrote: > Disabling verification entirely externally to the program, through a CLI flag > or environment variable. I'm pretty down on this idea, the problem you hit is > that it's a pretty blunt instrument to swing, and it's almost impossible to > imagin

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Tue, 2 Sep 2014 14:00:02 -0700 Glyph Lefkowitz wrote: > > I would strongly recommend against such a mechanism. > > For what it's worth, Twisted simply unconditionally started verifying > certificates in 14.0 with no "disable" switch, and (to my knowledge) > literally no users have complaine

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 1 Sep 2014 16:05, "Nick Coghlan" wrote: > > The final change would be to seed the context factory map > appropriately for the standard library modules where we wanted to keep > the *old* default: > > for modname in ("nntplib", "poplib", "imaplib", "ftplib", > "smtplib", "asyncio.selector_ev

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Antoine Pitrou pitrou.net> writes: > > And how many people are using Twisted as an HTTPS client? > (compared to e.g. Python's httplib, and all the third-party libraries > building on it?) > I don't think anyone could give an honest estimate of these counts, however there's two factors to bare

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Tue, 2 Sep 2014 22:16:18 + (UTC) Alex Gaynor wrote: > > > Furthermore, "disable verification" is a nonsensical thing to do with TLS. > > > > It's not. For example, if you have an expired cert, all you can do > > AFAIK is to disable verification. > > It really is a nonsensical operation, a

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 02.09.2014 23:32, Antoine Pitrou wrote: >> Furthermore, "disable verification" is a nonsensical thing to do with TLS. > > It's not. For example, if you have an expired cert, all you can do > AFAIK is to disable verification. It's possible to ignore or just warn about expired certs with simple

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 3 Sep 2014 08:18, "Alex Gaynor" wrote: > > Antoine Pitrou pitrou.net> writes: > > > > > And how many people are using Twisted as an HTTPS client? > > (compared to e.g. Python's httplib, and all the third-party libraries > > building on it?) > > > > I don't think anyone could give an honest est

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Nick Coghlan gmail.com> writes: > Creating *new* incompatibilities between Python 2 & Python 3 is a major point > of concern. Clearly this change should be backported to Python2. -David ___ Python-Dev mailing list Python-Dev@python.org https://mail

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Tue, 02 Sep 2014 22:16:18 -, Alex Gaynor wrote: > This whole scenario seems to be predicated on a siutation where: You have a > peer whose certificate you can't change, and you have a piece of code you > can't > change, and you're going to upgrade your Python installation, and you want to

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Sep 2, 2014, at 4:01 PM, Nick Coghlan wrote: > > On 3 Sep 2014 08:18, "Alex Gaynor" wrote: > > > > Antoine Pitrou pitrou.net> writes: > > > > > > > > And how many people are using Twisted as an HTTPS client? > > > (compared to e.g. Python's httplib, and all the third-party libraries > > >

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 3 Sep 2014 09:08, "David Reid" wrote: > > Nick Coghlan gmail.com> writes: > > > Creating *new* incompatibilities between Python 2 & Python 3 is a major point > > of concern. > > Clearly this change should be backported to Python2. Proposing to break backwards compatibility in a maintenance re

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Sep 2, 2014, at 4:28 PM, Nick Coghlan wrote: > On 3 Sep 2014 09:08, "David Reid" wrote: > > > > Nick Coghlan gmail.com> writes: > > > > > Creating *new* incompatibilities between Python 2 & Python 3 is a major > > > point > > > of concern. > > > > Clearly this change should be backported t

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

> On Sep 2, 2014, at 7:47 PM, Glyph Lefkowitz wrote: > > > On Sep 2, 2014, at 4:28 PM, Nick Coghlan > wrote: > >> On 3 Sep 2014 09:08, "David Reid" mailto:dr...@dreid.org>> >> wrote: >> > >> > Nick Coghlan gmail.com > writes: >> > >> > > Creatin

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Tue, 2 Sep 2014 16:47:35 -0700 Glyph Lefkowitz wrote: > > On Sep 2, 2014, at 4:28 PM, Nick Coghlan wrote: > > > On 3 Sep 2014 09:08, "David Reid" wrote: > > > > > > Nick Coghlan gmail.com> writes: > > > > > > > Creating *new* incompatibilities between Python 2 & Python 3 is a major > > >

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 9/2/2014 7:47 PM, Glyph Lefkowitz wrote: On Sep 2, 2014, at 4:28 PM, Nick Coghlan mailto:ncogh...@gmail.com>> wrote: On 3 Sep 2014 09:08, "David Reid" mailto:dr...@dreid.org>> wrote: > Clearly this change should be backported to Python2. Proposing to break backwards compatibility in a m

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Tue, 02 Sep 2014 20:59:54 -0400, Terry Reedy wrote: > On 9/2/2014 7:47 PM, Glyph Lefkowitz wrote: > > > > On Sep 2, 2014, at 4:28 PM, Nick Coghlan > > wrote: > > > >> On 3 Sep 2014 09:08, "David Reid" >> > wrote: > > >> > Clearly this change

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Antoine Pitrou writes: > On Tue, 2 Sep 2014 16:47:35 -0700 > Glyph Lefkowitz wrote: > > As we keep saying, this is not a break in backwards > > compatibility, it's a bug fix. > > Keeping saying it doesn't make it magically true. It's not "magically" true, it is "just" true. What the hard

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 3 September 2014 01:19, Antoine Pitrou wrote: > Keeping saying it doesn't make it magically true. Sure, but it *is* true, at the very least for HTTP. RFC 2818 (HTTP over TLS) has the following language in section 3.1: > If the hostname is available, the client MUST check it against the > ser

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 3 Sep 2014 18:28, "Cory Benfield" wrote: > This is definitely true, and this change is both. The only question > that matters is whether we believe we're doing users a service by > breaking their code. I'd argue, along with Glyph, Alex and Donald, > that we are. I've been on the losing side of

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Wed, 3 Sep 2014 20:34:32 +1000 Nick Coghlan wrote: > > The backwards compatibility argument only applies to Python 2 maintenance > releases (where dreid indicated an intention to request backporting the > change), and there I'm quite happy to take the position of "use requests, > Twisted or Py

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Tue, 02 Sep 2014 21:29:16 -0400 "R. David Murray" wrote: > > The top proposal so far is an sslcustomize.py file that could be used to > either decrease or increase the default security. This is a much less > handy solution than application options (eg, curl, wget) that allow > disabling secur

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On Wed, 03 Sep 2014 16:31:13 +0200, Antoine Pitrou wrote: > On Tue, 02 Sep 2014 21:29:16 -0400 > "R. David Murray" wrote: > > > > The top proposal so far is an sslcustomize.py file that could be used to > > either decrease or increase the default security. This is a much less > > handy solution

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

On 09/03/2014 08:58 AM, R. David Murray wrote: I'm OK with letting go of this invalid-cert issue myself, given the lack of negative feedback Twisted got. I'll just keep my fingers crossed. I apologize if I missed this point, but if we have the source code then it is possible to go in and dire

Re: [Python-Dev] PEP 476: Enabling certificate validation by default!

Ethan Furman stoneleaf.us> writes: > > I apologize if I missed this point, but if we have the source code then it is > possible to go in and directly modify the application/utility to be able to > talk over https to a router with an invalid certificate? This is an option > when creating the ssl

  1   2   >