Comment 0 for bug 1047054

Jamie Strandboge (jdstrand) wrote :

The following program (based on http://code.google.com/p/urllib3/wiki/Examples) can be easily MITMd:
#!/usr/bin/python
from urllib3 import HTTPSConnectionPool
http_pool = VerifiedHTTPSConnection('www.google.com')
r = http_pool.urlopen('GET', '/', redirect=False)
print r.status, r.headers.get('location')
r = http_pool.urlopen('GET', '/', redirect=True)
print r.status, len(r.data)

Changing it to use:
http_pool = HTTPSConnectionPool('www.google.com', strict=False, cert_reqs='CERT_REQUIRED', ca_certs='/etc/ssl/certs/ca-certificates.crt')

Results in urllib3 properly verifying certificates. python-urllib3 should use secure defaults and perform certificate verification unless an application author tells it not to.