[issue14780] SSL should use OpenSSL-defined default certificate store if ca_certs parameter is omitted

[Antoine Pitrou]

Antoine Pitrou <pitrou at free.fr> added the comment:

> What about a patch to handle a directory store passed through the
> ca_certs parameter? As it stands now, it's impossible to load the
> distribution-supplied cert store on openSUSE.

I'm afraid it would still be a new feature, unsuitable for a bugfix release. Other distros simply have both a directory-based cert store and a cert bundle. In Mageia I see both /etc/pki/tls/rootcerts/ (a directory-based cert store) and /etc/pki/tls/certs/ca-bundle.crt (a single file cert bundle). (yes, I hope they're synchronized :))

Generally, the only reason we would add a new feature in a bugfix release is if it's necessary to fix a security issue (such as the hash randomization feature). Here it's not necessary: you could simply ship a cert bundle in addition to the cert store. I suppose its generation is easily automated with a script.

(and, yes, the ssl module has long lacked important features; its history is a bit bumpy)

Again, for 3.3, a patch allowing urllib.request to call load_default_verify_locations() could be a good idea.

----------

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue14780>
_______________________________________