[Python-Dev] SSL certificates recommendations for downstream python packagers

[Cory Benfield]

> On 30 Jan 2017, at 13:53, David Cournapeau <cournape at gmail.com> wrote:
> 
> Are there any official recommendations for downstream packagers beyond PEP 476 ? Is it "acceptable" for downstream packagers to patch python's default cert locations ?

There *are* no default cert locations on Windows or macOS that can be accessed by OpenSSL.

I cannot stress this strongly enough: you cannot provide a platform-native certificate validation logic for Python *and* use OpenSSL for certificate validation on Windows or macOS. (macOS can technically do this when you link against the system OpenSSL, at the cost of using a catastrophically insecure version of OpenSSL.) 

The only program I am aware of that does platform-native certificate validation on all three major desktop OS platforms is Chrome. It does this using a fork of OpenSSL to do the actual TLS, but the platform-native crypto library to do the certificate validation. This is the only acceptable way to do this, and Python does not expose the appropriate hooks to do it from within Python code. This would require that you carry substantial patches to the standard library to achieve this, all of which would be custom code. I strongly recommend you don't undertake to do this unless you are very confident of your ability to write this code correctly.

The best long term solution to this is to stop using OpenSSL on platforms that don't consider it the 'blessed' approach. If you're interested in following that work, we're currently discussing it on the security-SIG, and you'd be welcome to join. 

Cory