[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
Christian Heimes
christian at python.org
Mon Jun 3 22:19:26 CEST 2013
Am 03.06.2013 21:52, schrieb Antoine Pitrou:
> cadefault=True will probably be fail if the system certs are not
> properly configured in OpenSSL, e.g. under Windows or with a hand-made
> OpenSSL build.
> And, because of the way the OpenSSL API works, there's no way of
> knowing if it is the case or not:
> http://docs.python.org/3.4/library/ssl.html#ssl.SSLContext.set_default_verify_paths
I only see an issue for uncommon Linux distributions and exotic Unices.
For Windows an interface to crypt32 API solves the CA issue as shown in
my wincertstore module. It gives the user the same SSL experience as
Internet Explorer.
Most Linux and BSD-ish operating systems have SSL certs at some standard
location.
https://bitbucket.org/pypa/setuptools/src/6de3186fdfd9f5b543380e9aca2d48976cfc38cd/setuptools/ssl_support.py?at=default#cl-15
lists a couple of standard locations.
Under which conditions do we need to ship a CA cert file?
Christian
More information about the Python-Dev
mailing list