On Sat, 10 Sep 2016 20:23:13 +0200 Christian Heimes <christian at python.org> wrote: > > It's a bit too clever and tricky for my taste. I prefer 'explicit is > better than implicit' for trust anchors. My main concern are secure > default settings. A SSLContext should be secure w/o further settings in > order to prevent developers to shoot themselves in the knee. > > Missing root certs are not a direct security issue with CERT_REQUIRED. > The connection will simply fail. I'd rather improve the error message > than to auto-load certs. Agreed with all this. You don't want to have "magic" behaviour in a security-oriented module. Let people configure their contexts explicitly. As a reminder, people who don't want to configure TLS themselves should use an intermediate layer instead, such as ssl.create_default_context() or an application protocol implementation (httplib, etc.). Regards Antoine.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4