You should ask Glyph too. He supplied lots of useful info about cert checking on the python-tulip list. On Sat, Oct 19, 2013 at 7:14 AM, Nick Coghlan <ncoghlan@gmail.com> wrote:
On 19 October 2013 22:44, Christian Heimes <christian@python.org> wrote:
Am 19.10.2013 00:56, schrieb Guido van Rossum: A couple of months I had a long and fruitful discussion with MAL about the issue. Egenix PyOpenSSL installer comes with a root CA bundle. He tried a couple of approaches to handle trust settings with OpenSSL means. Eventually MAL had to split up the bundle into multiple files for each purpuse, see
http://www.egenix.com/company/news/eGenix-pyOpenSSL-Distribution-0.13.2.1.0....
We should *really* write a PEP about it, specify all details and get a proper review from real experts. This stuff is super complex and highly fragile. :(
At the very least, it would be good if you and/or MAL could review the cert verification in pip. PEP 453 makes that kinda important :)
Cheers, Nick.
-- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
-- --Guido van Rossum (python.org/~guido)