[New-bugs-announce] [issue22449] SSLContext.load_verify_locations behavior on Windows and OSX

Christian Heimes report at bugs.python.org
Sat Sep 20 12:35:39 CEST 2014


New submission from Christian Heimes:

The behavior of SSLContext.load_verify_locations is rather inconsistent across platforms:

On most POSIX platforms (Linux, BSD, non-Apple builds of OpenSSL) it loads certificates from predefined locations. The locations are defined during compile time and usually differ between vendors and platforms. My WiP "Improve TLS/SSL support" PEP lists all common locations and the packages that offer the certs. On these platforms SSL_CERT_DIR and SSL_CERT_FILE overwrite the location.

On Windows SSL_CERT_DIR and SSL_CERT_FILE are never taken into account by SSLContext.load_verify_locations because it doesn't call SSLContext.set_default_verify_paths(). The attached patch is a semi-fix for the problem. With the patch certs from SSL_CERT_DIR and SSL_CERT_FILE are only *added* to trusted root CA certs. The certs from Windows' cert store 'CA' and 'ROOT' are still loaded.

On OSX with Apple's custom build of OpenSSL SSL_CERT_DIR and SSL_CERT_FILE take effect. But there is a twist! In case a root CA cert is not found Apple's Trust Evaluation Agent (TEA) kicks in and looks up certs from Apple's keychain. It's almost the same situation as on Windows but more magical. In order to disable TEA one has to set the env var OPENSSL_X509_TEA_DISABLE=1 *before* the first cert is validated. After that the env var has no effect as the value is cached. Hynek has documted it in his blog: https://hynek.me/articles/apple-openssl-verification-surprises/

----------
components: Extension Modules, Library (Lib)
files: win32_load_SSL_CERT_env.patch
keywords: patch
messages: 227150
nosy: alex, christian.heimes, dstufft, giampaolo.rodola, hynek, janssen, ncoghlan, pitrou
priority: normal
severity: normal
stage: needs patch
status: open
title: SSLContext.load_verify_locations behavior on Windows and OSX
type: behavior
versions: Python 2.7, Python 3.4, Python 3.5
Added file: http://bugs.python.org/file36668/win32_load_SSL_CERT_env.patch

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue22449>
_______________________________________


More information about the New-bugs-announce mailing list