[Catalog-sig] Access to Windows' cert store

Donald Stufft donald at stufft.io
Thu Mar 21 14:40:15 CET 2013

On Mar 21, 2013, at 9:32 AM, Christian Heimes <christian at python.org> wrote:

> Am 21.03.2013 13:58, schrieb M.-A. Lemburg:
>> Why not simply use the Firefox certs ?
>> We started adding these to our pyOpenSSL distribution with the last release:
>> https://cms.egenix.com/products/python/pyOpenSSL/doc/#Module_OpenSSL.ca_bundle
> Sure, that's another viable option. But IIRC some people have raised
> license concerns.

Firefox bundle is releases under the MPL which only applies to the individual files and not the entire project.

>> You can setup OpenSSL Contexts to validate based in-memory
>> certificate as well: just add the certs one by one to the
>> Context using the X509Store object you can obtain using
>> context.get_cert_store().
> I assume you are talking about pyOpenSSL? I was referring to Python's
> SSL module. It can only load CA certs from a file or directory. It would
> be a useful feature for Python's SSL module, too.
>> I think this would be useful addition for pyOpenSSL as well - if
>> it's possible to extract the Windows certificates without admin
>> rights.
> The code works without special privileges. The MSDN references don't
> mention any restrictions, too. The code is rather simple -- I'm only
> using four functions and three structs.

I would love to see this added to Python Core. As it is right now if OpenSSL is configured correctly you can do `urllib.request.urlopen("…", cadefault=True)` and things will just work. This breaks down on Windows though.

> Christian
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130321/56d97fa5/attachment.pgp>

More information about the Catalog-SIG mailing list