[Python-Dev] PEP 476: Enabling certificate validation by default! (original) (raw)

Christian Heimes christian at python.org
Sun Aug 31 19:23:53 CEST 2014

On 31.08.2014 08:24, Nick Coghlan wrote:

To answer David's specific question, the existing knobs at the OpenSSL level (SSLCERTDIR and SSLCERTFILE ) let people add an internal CA, opt out of the default CA system, and trust specific self-signed certs.

This works only on Unix platforms iff SSL_CERT_DIR and SSL_CERT_FILE are both set to a non-empty string that points to non-existing files or something like /dev/null.

On Windows my enhancement will always cause the system trust store to kick in. There is currently no way to disable the Windows system store for ssl.create_default_context() and ssl._create_stdlib_context() with the functions' default arguments.

On Mac OS X the situation is even more obscure. Apple's OpenSSL binaries are using Apple's Trust Evaluation Agent. You have to set OPENSSL_X509_TEA_DISABLE=1 in order to prevent the agent from adding trusted certs from OSX key chain. Hynek Schlawack did a deep dive into it. https://hynek.me/articles/apple-openssl-verification-surprises/

A Python-specific user level cert store is something that could be developed as a PyPI library for Python 2.7.9+ and 3.4+ (Is cert management considered in scope for cryptography.io? If so, that could be a good home).

Python's SSL module is lacking some functionalities in order to implement a fully functional cert store.

https://www.openssl.org/docs/ssl/SSL_CTX_set_cert_verify_callback.html http://linux.die.net/man/3/x509_store_ctx_set_verify_cb /api/ssl.html#OpenSSL.SSL.Context.set_verify

There are probably some more things mising. An X509 object would help, too.

Christian

More information about the Python-Dev mailing list