[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython) (original) (raw)

Donald Stufft donald at stufft.io
Mon Jun 3 22:22:41 CEST 2013

On Jun 3, 2013, at 4:19 PM, Christian Heimes <christian at python.org> wrote:

Am 03.06.2013 21:52, schrieb Antoine Pitrou:

cadefault=True will probably be fail if the system certs are not properly configured in OpenSSL, e.g. under Windows or with a hand-made OpenSSL build. And, because of the way the OpenSSL API works, there's no way of knowing if it is the case or not: http://docs.python.org/3.4/library/ssl.html#ssl.SSLContext.setdefaultverifypaths I only see an issue for uncommon Linux distributions and exotic Unices. For Windows an interface to crypt32 API solves the CA issue as shown in my wincertstore module. It gives the user the same SSL experience as Internet Explorer. Most Linux and BSD-ish operating systems have SSL certs at some standard location. https://bitbucket.org/pypa/setuptools/src/6de3186fdfd9f5b543380e9aca2d48976cfc38cd/setuptools/sslsupport.py?at=default#cl-15 lists a couple of standard locations. Under which conditions do we need to ship a CA cert file? Christian

Python-Dev mailing list Python-Dev at python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/donald%40stufft.io

What about OSX?

Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/0b218f15/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/0b218f15/attachment.pgp>

More information about the Python-Dev mailing list