[New-bugs-announce] [issue22365] SSLContext.load_verify_locations(cadata) does not accept CRLs

Ralph Broenink report at bugs.python.org
Mon Sep 8 16:54:46 CEST 2014

New submission from Ralph Broenink:

Issue #18138 added support for the cadata argument in SSLContext.load_verify_locations. However, this argument does not support certificate revocation lists (CRLs) to be added (at least not in PEM format):

    ssl.SSLError: [PEM: NO_START_LINE] no start line (_ssl.c:2633)

The documentation of this method is rather vague on this subject and does not state explicitly this is not allowed:

    This method can also load certification revocation lists (CRLs) in PEM or or DER format. In order to make use of CRLs, SSLContext.verify_flags must be configured properly.

I think CRLs should be allowed to be loaded using the cadata argument. However, the documentation could use some polishing too: "At least one of cafile or capath must be specified." is outdated since the introduction of cadata.

components: Extension Modules
messages: 226582
nosy: Ralph.Broenink
priority: normal
severity: normal
status: open
title: SSLContext.load_verify_locations(cadata) does not accept CRLs
versions: Python 3.4

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list