[Python-Dev] PEP476: Enabling certificate validation by default (original) (raw)

Christian Heimes christian at python.org
Sun Sep 21 12:57:05 CEST 2014

• Previous message: [Python-Dev] PEP476: Enabling certificate validation by default
• Next message: [Python-Dev] PEP476: Enabling certificate validation by default
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 21.09.2014 01:03, Nick Coghlan wrote:

We may also need some clarification from Ned regarding the status of OpenSSL and the potential impact switching from dynamic linking to static linking of OpenSSL may have in terms of the "OPENSSLX509TEADISABLE" setting.

You may want to ask Hynek, too. He initially discovered the issue and made me aware how Apple is tying keychain into OpenSSL. You may find the code in:

http://opensource.apple.com/source/OpenSSL098/OpenSSL098-35.1/src/crypto/x509/x509_vfy_apple.h http://opensource.apple.com/source/OpenSSL098/OpenSSL098-35.1/src/crypto/x509/x509_vfy_apple.c

The TEA (Trust Evaluation Agent) switch is global and affects all SSL context instances. There is non canonical way to set the TEA flag for a single context or socket.

/* -1: not set

• 0: set to false
• 1: set to true */ static tea_enabled = -1;

void X509_TEA_set_state(int change) { tea_enabled = (change) ? 1 : 0; }

int X509_TEA_is_enabled() { if (tea_enabled < 0) tea_enabled = (NULL == getenv(X509_TEA_ENV_DISABLE));

return tea_enabled != 0;

}

• Previous message: [Python-Dev] PEP476: Enabling certificate validation by default
• Next message: [Python-Dev] PEP476: Enabling certificate validation by default
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list