© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
PEP 476 <https:/
The PEP says this <https:/
"This change will have the appearance of causing some HTTPS connections to "break", because they will now raise an Exception during handshake.
This is misleading however, in fact these connections are presently failing silently, an HTTPS URL indicates an expectation of confidentiality and authentication. The fact that Python does not actually verify that the user's request has been made is a bug, further: "Errors should never pass silently."
Nevertheless, users who have a need to access servers with self-signed or incorrect certificates would be able to do so by providing a context with custom trust roots or which disables validation (documentation should strongly recommend the former where possible). Users will also be able to add necessary certificates to system trust stores in order to trust them globally.
Twisted's 14.0 release made this same change, and it has been met with almost no opposition."
So the immediate question I have is, you say you're running the tests with verify=True and you're getting new failures. If that's the case, then since you've apparently always been verifying certificates, the change to make verification by default shouldn't affect you. But you're saying it has affected you and other packages too, is that right?
You say you ran a test with the backport of requests 2.7, but you don't mention what the outcome of that test was.
If you install the monkey patch to restore the old behavior according to the PEP, does that fix the problem for you?
I'm also curious because I ran the system-image tests in a trusty chroot and haven't seen any problems. It does a lot of self-signed certificate checks, including ensuring that bad certificates are rejected. It doesn't use requests though.