Comment 0 for bug 1047054

Jamie Strandboge (jdstrand) wrote :

The following program (based on can be easily MITMd:
from urllib3 import HTTPSConnectionPool
http_pool = VerifiedHTTPSConnection('')
r = http_pool.urlopen('GET', '/', redirect=False)
print r.status, r.headers.get('location')
r = http_pool.urlopen('GET', '/', redirect=True)
print r.status, len(

Changing it to use:
http_pool = HTTPSConnectionPool('', strict=False, cert_reqs='CERT_REQUIRED', ca_certs='/etc/ssl/certs/ca-certificates.crt')

Results in urllib3 properly verifying certificates. python-urllib3 should use secure defaults and perform certificate verification unless an application author tells it not to.