[Python-Dev] PEP 476: Enabling certificate validation by default! (original) (raw)

Christian Heimes christian at python.org
Sun Aug 31 13🔞28 CEST 2014

• Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
• Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 30.08.2014 00:22, Antoine Pitrou wrote:

SSLCERTDIR and SSLCERTFILE are used, if set, when SSLContext.loadverifylocations() is called.

Actually, come to think of it, this allows us to write a better test for that method. Patch welcome!

The environment vars are used only when SSLContext.set_default_verify_paths() is called. load_verify_locations() loads certificates from a given file, directory or memory but it doesn't look at the env vars.

create_default_context() calls SSLContext.load_default_certs() when neither cafile, capath nor cadata is given as an argument. SSLContext.load_default_certs() then calls SSLContext.set_default_verify_paths(). However there is a catch: SSLContext.set_default_verify_paths() is not called on Windows. In retrospective it was a bad decision by me to omit the call.

http://hg.python.org/cpython/file/164a17eca081/Lib/ssl.py#l376

Christian

PS: SSL_CERT_DIR and SSL_CERT_FILE are the default names. It's possible to change the names in OpenSSL. ssl.get_default_verify_paths() returns the names and paths to the default verify locations.

• Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
• Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list