[Python-Dev] PEP 476: Enabling certificate validation by default! (original) (raw)

martin at v.loewis.de martin at v.loewis.de
Sat Aug 30 22:03:20 CEST 2014

• Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
• Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Zitat von Christian Heimes <christian at python.org>:

On 30.08.2014 17:22, Alex Gaynor wrote:

The Windows certificate store is used by loaddefaultcerts:

* https://github.com/python/cpython/blob/master/Lib/ssl.py#L379-L381 * https://docs.python.org/3.4/library/ssl.html#ssl.enumcertificates The Windows part of loaddefaultcerts() has one major flaw: it can only load certificates that are already in Windows's cert store. However Windows comes only with a small set of default certs and downloads more certs on demand. In order to trigger a download Python or OpenSSL would have to use the Windows API to verify root certificates.

It's better than you think. Vista+ has a weekly prefetching procedure that should assure that virtually all root certificates are available:

http://support.microsoft.com/kb/931125/en-us

BTW, it's patented:

http://www.google.de/patents/US6816900

Regards, Martin

• Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
• Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list