Am 19.10.2013 00:56, schrieb Guido van Rossum: > Thanks! That's probably fine for now -- it means the standard library > doesn't know where the root certificates are. We had a huge discussion > about this over on python-tulip: > https://groups.google.com/forum/#!topic/python-tulip/c_lqdFjPEbE > > TL;DR: The stdlib openssl wrapper ought to know where each platform > stores its root certificates and automatically use them, but it > currently doesn't always. Users who really don't care but still want to > use SSL must create an SSL context with verify_mode set to ssl.CERT_NONE > (and live with the risk, obviously). This stuff passes on OS X only > because there's a system openssl library that always uses the system > root certificates. > > If anyone can help fixing the ssl.py module (or the _ssl extension) so > that sslcontext.set_default_verify_paths() uses the system root certs on > Windows that would be a huge help. (I have tried this on an Ubuntu box > too, and there it actually works.)
I have worked on some patches and even started to write a PEP about it. You can find an old version of my PEP at https://bitbucket.org/tiran/peps/src/tip/pep-9999.txt . The PEP contains a list of possible locations of root CA certs. The root CA certificate situation is troublesome. Several parsers for Mozilla's NSS certdata.txt are plain wrong and don't handle purpose / trust settings correctly. Even Ubuntu is affected by the bug. The /etc/ssl/certs/ directory contains certificates that are NOT suitable for server cert verification. A couple of months I had a long and fruitful discussion with MAL about the issue. Egenix PyOpenSSL installer comes with a root CA bundle. He tried a couple of approaches to handle trust settings with OpenSSL means. Eventually MAL had to split up the bundle into multiple files for each purpuse, see http://www.egenix.com/company/news/eGenix-pyOpenSSL-Distribution-0.13.2.1.0.1.5.html We should *really* write a PEP about it, specify all details and get a proper review from real experts. This stuff is super complex and highly fragile. :( Christian _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
