Comment 20 for bug 1188189

It's a perennial debate in the Python community, the most recent thread on the python-dev ML being http://mail.python.org/pipermail/python-dev/2013-June/126671.html . There's also an unassigned bug open for the past couple years ( http://bugs.python.org/issue13655 ).

The python-nss module is LGPL and could be leveraged to access the builtin default NSS certdata... the real questions are around maturity and cross-platform support if you're wanting something which can leverage system-level cert databases and platform-specific trustdb management tools.

But by turning on certificate verification in existing deployments you're going to instabreak people who enabled HTTPS to talk to some random third-party device which has an expired, self-signed, CN-mismatched or otherwise nonconformant certificate on it because they saw there was a crypto option and decided to turn the knob all the way up without understanding the benefits (or lack thereof in this case).