On Sat, 30 Aug 2014 12:46:47 +0200 "M.-A. Lemburg" <mal at egenix.com> wrote: > The change is to the OpenSSL API, not the OpenSSL lib. By setting > the variable you enable a few special calls to the config loader > functions in OpenSSL when calling the initializer it: > > https://www.openssl.org/docs/crypto/OPENSSL_config.html Ah, ok. Do you have experience with openssl.cnf? Apparently, it is meant for offline tools such as certificate generation, I am not sure how it could impact certification validation. > > That use case should be served with the SSL_CERT_DIR and SSL_CERT_FILE > > env vars (or, better, by specific settings *inside* the application). > > > > I'm against multiplying environment variables, as it makes it more > > difficult to assess the actual security of a setting. The danger of an > > ill-secure setting is much more severe than with hash randomization. > > You have a point there. So how about just a python run-time switch > and no env var ? Well, why not, but does it have a value over letting the code properly configure their SSLContext? Regards Antoine.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4