On Mon, Jan 30, 2017 at 8:50 PM, Cory Benfield <cory@lukasa.co.uk> wrote:

> On 30 Jan 2017, at 13:53, David Cournapeau <cournape@gmail.com> wrote:
>
> Are there any official recommendations for downstream packagers beyond PEP 476 ? Is it "acceptable" for downstream packagers to patch python's default cert locations ?

There *are* no default cert locations on Windows or macOS that can be accessed by OpenSSL.

I cannot stress this strongly enough: you cannot provide a platform-native certificate validation logic for Python *and* use OpenSSL for certificate validation on Windows or macOS. (macOS can technically do this when you link against the system OpenSSL, at the cost of using a catastrophically insecure version of OpenSSL.)

Ah, thanks, that's already useful information.

Just making sure I understand: this means there is no way to use python's SSL library to use the system store on windows, in particular private certifications that are often deployed by internal ITs in large orgs ?

The only program I am aware of that does platform-native certificate validation on all three major desktop OS platforms is Chrome. It does this using a fork of OpenSSL to do the actual TLS, but the platform-native crypto library to do the certificate validation. This is the only acceptable way to do this, and Python does not expose the appropriate hooks to do it from within Python code. This would require that you carry substantial patches to the standard library to achieve this, all of which would be custom code. I strongly recommend you don't undertake to do this unless you are very confident of your ability to write this code correctly.

That's exactly what I was afraid of and why I asked before attempting anything.

The best long term solution to this is to stop using OpenSSL on platforms that don't consider it the 'blessed' approach. If you're interested in following that work, we're currently discussing it on the security-SIG, and you'd be welcome to join.

Thanks, I will see if it looks like I have anything to contribute.

David