[Python-Dev] SSL certificates recommendations for downstream python packagers
Cory Benfield
cory at lukasa.co.uk
Tue Jan 31 04:37:12 EST 2017
> On 31 Jan 2017, at 09:33, Christian Heimes <christian at python.org> wrote:
>
> One small correction, it is possible to export some of the trust
> settings to a TRUSTED CERTIFICATE and import them into OpenSSL. It works
> correctly in 1.0.1 and since 1.0.2e or f. Trust settings are stored in
> X509_AUX extension after the actual certificate and signature. OpenSSL's
> default loaders for cert dir and cert file do load auxiliary trust
> information.
Ah, good spot.
I suspect the code you’d need to write to safely extract that functionality is pretty subtle. I definitely don’t trust myself to get it right.
Cory
More information about the Python-Dev
mailing list