Showing content from http://mail.python.org/pipermail/python-dev/attachments/20140313/fa9aa86a/attachment.html below:
<html><body>
<p><tt><font size="2">Antoine Pitrou <solipsis@pitrou.net> wrote on 03/13/2014 01:46:12 PM:<br>
> On Thu, 13 Mar 2014 14:57:41 +0100<br>
> Victor Stinner <victor.stinner@gmail.com> wrote:<br>
> > 2014-03-13 11:49 GMT+01:00 Christian Heimes <christian@python.org>:<br>
> > > * All stdlib modules now support server cert verification including<br>
> > > hostname matching and CRL.<br>
> > ><br>
> > > * <a href="http://bugs.python.org/issue16499">http://bugs.python.org/issue16499</a> isolated mode is a security<br>
> > > improvement, too.<br>
> > <br>
> > Ok, I added these two items.<br>
> > <br>
> > Antoine wrote:<br>
> > > CRL? really? I don't remember us doing automatic CRL downloads.<br>
> > <br>
> > It's just the "support", nothing is automatic. I understood that you<br>
> > *can* load CRL and ask for CRL validation, but it must be done<br>
> > explicitly. There is a function to retrieve system CRLs on Windows.<br>
> <br>
> Then you should perhaps make your phrasing more explicit, because<br>
> people may wrongly assume that CRL checking will be done automatically<br>
> (IMHO).<br>
> <br>
> (especially since hostname checking, AFAIK, *is* automatic now)<br>
Sorry if I'm out of line on my first post to this list, but I've been using the ssl module in 3.4 some lately (indeed, I have an open RFE on it for 3.5).</font></tt><br>
<br>
<tt><font size="2">While hostname checking can be done automatically, it's not the default (and if it will even work at all depends on the version of openssl installed). </font></tt><br>
<tt><font size="2">I suppose I could see it changed to read:<br>
</font></tt><br>
<tt><font size="2">* All stdlib modules now support server cert verification including hostname matching and CRL verification (but not automatic download).</font></tt><br>
<br>
<tt><font size="2">Of course, the reality is, using the ssl module requires a vary careful attention to detail, and probably always will. If a programmer is just going by the "What's New" section for security related code, I'm not sure there's much you can to to save them. ;p</font></tt><br>
<br>
<tt><font size="2">> <br>
> Regards<br>
> <br>
> Antoine.<br>
> <br>
<br>
</font></tt></body></html>
RetroSearch is an open source project built by @garambo
| Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4