[New-bugs-announce] [issue17129] Include CA bundle and provide access to system's CA
Christian Heimes
report at bugs.python.org
Mon Feb 4 20:32:33 CET 2013
New submission from Christian Heimes:
For effective SSL server cert validation a bundle of trustworthy CA certs is required. Most system ship such a bundle but it's not always possible to access the bundle from Python / OpenSSL. Windows and Mac OS X come into my mind. wget and curl ship a copy of Mozilla's CA cert bundle.
The site http://curl.haxx.se/docs/caextract.html explains how to extract the CA certs in PEM format. I suggest that we ship the CA bundle with Python and use a lookup chain:
- user defined path to a cacert directory or cacert.pem file
- cacert directory or PEM file in the user's home directory:
cacertdir = os.path.join(site.USER_SITE, os.pardir, "cacert")
cacertfile = os.path.join(site.USER_SITE, os.pardir, "cacert.pem")
- system's ca cert directory (/etc/ssl/certs on Linux)
- CA cert bundle shipped with the Python installation.
----------
components: Library (Lib)
messages: 181379
nosy: christian.heimes
priority: high
severity: normal
status: open
title: Include CA bundle and provide access to system's CA
type: security
versions: Python 2.6, Python 2.7, Python 3.2, Python 3.3, Python 3.4
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue17129>
_______________________________________
More information about the New-bugs-announce
mailing list