Am 19.10.2013 00:56, schrieb Guido van Rossum:
Thanks! That's probably fine for now -- it means the standard library doesn't know where the root certificates are. We had a huge discussion about this over on python-tulip: https://groups.google.com/forum/#!topic/python-tulip/c_lqdFjPEbE
TL;DR: The stdlib openssl wrapper ought to know where each platform stores its root certificates and automatically use them, but it currently doesn't always. Users who really don't care but still want to use SSL must create an SSL context with verify_mode set to ssl.CERT_NONE (and live with the risk, obviously). This stuff passes on OS X only because there's a system openssl library that always uses the system root certificates.
If anyone can help fixing the ssl.py module (or the _ssl extension) so that sslcontext.set_default_verify_paths() uses the system root certs on Windows that would be a huge help. (I have tried this on an Ubuntu box too, and there it actually works.)
I have worked on some patches and even started to write a PEP about it. You can find an old version of my PEP at https://bitbucket.org/tiran/peps/src/tip/pep-9999.txt . The PEP contains a list of possible locations of root CA certs. The root CA certificate situation is troublesome. Several parsers for Mozilla's NSS certdata.txt are plain wrong and don't handle purpose / trust settings correctly. Even Ubuntu is affected by the bug. The /etc/ssl/certs/ directory contains certificates that are NOT suitable for server cert verification. A couple of months I had a long and fruitful discussion with MAL about the issue. Egenix PyOpenSSL installer comes with a root CA bundle. He tried a couple of approaches to handle trust settings with OpenSSL means. Eventually MAL had to split up the bundle into multiple files for each purpuse, see http://www.egenix.com/company/news/eGenix-pyOpenSSL-Distribution-0.13.2.1.0.... We should *really* write a PEP about it, specify all details and get a proper review from real experts. This stuff is super complex and highly fragile. :( Christian