[issue13655] Python SSL stack doesn't have a default CA Store
Dima Tisnek
report at bugs.python.org
Thu Nov 28 14:08:11 CET 2013
Dima Tisnek added the comment:
re: cert_paths = [...]
This approach is rather problematic, there's no guarantee that a path trusted on one system is trusted on another.
I saw this in setuptools branch, where it does:
for path in cert_path:
if os.path.exists(path)
return path
Let's say you're user1 on osx and your native true path is "/System/Library/OpenSSL/certs/cert.pem", can you guarantee that someone else, user2, cannot sneak their hacked files into "/etc/pki/" (presumably missing altogether) or "/usr/local/share/"?
Because if user2 can do that, suddenly user1 verifies all traffic against hacked ca list.
----------
nosy: +Dima.Tisnek
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13655>
_______________________________________
More information about the Python-bugs-list
mailing list