On Fri, 29 Aug 2014 17:11:35 -0400, Donald Stufft <donald at stufft.io> wrote: > Sorry I was on my phone and didn’t get to fully reply to this. > > On Aug 29, 2014, at 4:00 PM, M.-A. Lemburg <mal at egenix.com> wrote: > > > > * configuration: > > > > It would be good to be able to switch this on or off > > without having to change the code, e.g. via a command > > line switch and environment variable; perhaps even > > controlling whether or not to raise an exception or > > warning. > > I’m on the fence about this, if someone provides a certificate > that we can validate against (which can be done without > touching the code) then the only thing that really can’t be > “fixed†without touching the code is if someone has a certificate > that is otherwise invalid (expired, not yet valid, wrong hostname, > etc). I’d say if I was voting on this particular thing I’d be -0, I’d > rather it didn’t exist but I wouldn’t cry too much if it did. Especially if you want an accelerated change, there must be a way to *easily* get back to the previous behavior, or we are going to catch a lot of flack. There may be only 7% of public certs that are problematic, but I'd be willing to bet you that there are more not-really-public ones that are critical to day to day operations *somewhere* :) wget and curl have 'ignore validation' as a command line flag for a reason. --David
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4