[Python-Dev] PEP 476: Enabling certificate validation by default!
Christian Heimes
christian at python.org
Sun Aug 31 13:18:28 CEST 2014
On 30.08.2014 00:22, Antoine Pitrou wrote:
> SSL_CERT_DIR and SSL_CERT_FILE are used, if set, when
> SSLContext.load_verify_locations() is called.
>
> Actually, come to think of it, this allows us to write a better
> test for that method. Patch welcome!
The environment vars are used only when
SSLContext.set_default_verify_paths() is called. load_verify_locations()
loads certificates from a given file, directory or memory but it doesn't
look at the env vars.
create_default_context() calls SSLContext.load_default_certs() when
neither cafile, capath nor cadata is given as an argument.
SSLContext.load_default_certs() then calls
SSLContext.set_default_verify_paths(). However there is a catch:
SSLContext.set_default_verify_paths() is not called on Windows. In
retrospective it was a bad decision by me to omit the call.
http://hg.python.org/cpython/file/164a17eca081/Lib/ssl.py#l376
Christian
PS: SSL_CERT_DIR and SSL_CERT_FILE are the default names. It's possible
to change the names in OpenSSL. ssl.get_default_verify_paths() returns
the names and paths to the default verify locations.
More information about the Python-Dev
mailing list