Issue 17129: Include CA bundle and provide access to system's CA (original) (raw)

Created on 2013-02-04 19:32 by christian.heimes, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Messages (6)
msg181379 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-02-04 19:32
For effective SSL server cert validation a bundle of trustworthy CA certs is required. Most system ship such a bundle but it's not always possible to access the bundle from Python / OpenSSL. Windows and Mac OS X come into my mind. wget and curl ship a copy of Mozilla's CA cert bundle. The site http://curl.haxx.se/docs/caextract.html explains how to extract the CA certs in PEM format. I suggest that we ship the CA bundle with Python and use a lookup chain: - user defined path to a cacert directory or cacert.pem file - cacert directory or PEM file in the user's home directory: cacertdir = os.path.join(site.USER_SITE, os.pardir, "cacert") cacertfile = os.path.join(site.USER_SITE, os.pardir, "cacert.pem") - system's ca cert directory (/etc/ssl/certs on Linux) - CA cert bundle shipped with the Python installation.
msg181382 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-02-04 19:42
Shouldn't it be a duplicate of ?
msg181411 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2013-02-05 03:24
FYI, at the moment, the PSF OS X installers dynamically link with the operating system supplied libssl and use its CA management policies. Issue17128 proposes changing that because Apple has deprecated the use of the system openssl in OS X.
msg181415 - (view) Author: Éric Araujo (eric.araujo) * (Python committer) Date: 2013-02-05 03:51
Agree this is a duplicate. I also think it’s a feature request.
msg181444 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-02-05 15:27
Yes, it's a duplicate of #13665. Sorry, I didn't make a proper search. Although this is a new feature it's a fundament for cert validation.
msg181446 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-02-05 15:33
I found a recipe to retrieve CA certs from Window's cert store, see #17134.
History
Date User Action Args
2022-04-11 14:57:41 admin set github: 61331
2013-02-05 16:39:55 eric.araujo set status: open -> closedsuperseder: Python SSL stack doesn't have a default CA Storeresolution: duplicatestage: resolved
2013-02-05 15:33:58 christian.heimes set messages: +
2013-02-05 15:27:03 christian.heimes set messages: +
2013-02-05 03:51:16 eric.araujo set nosy: + eric.araujomessages: +
2013-02-05 03:32:02 jcea set nosy: + jcea
2013-02-05 03:24:11 ned.deily set nosy: + ned.deilymessages: +
2013-02-04 19:42:07 pitrou set nosy: + pitroumessages: +
2013-02-04 19:33:56 christian.heimes link issue12226 dependencies
2013-02-04 19:32:33 christian.heimes create