[Python-Dev] More on server-side SSL support

Bill Janssen janssen at parc.com
Tue Aug 21 02:39:39 CEST 2007

>   *  Allow certificate validation.  This is a bit tricky; typically
>      certs are validated against some database of root certificates, so you
>      need a whole infrastructure to maintain that database.  Currently, we
>      don't have one, so no certs can be validated.  We could add a switch
>      to allow auto-validation of self-signed certs pretty easily.  I could
>      add a parameter to the SSLObject constructor which would be a filepath
>      for a file full of root certs (see SSL_CTX_load_verify_locations(3ssl)).

The simplest way to do verification is to allow the application to
provide a set of root certs that it would like to verify against, and
use the built-in OpenSSL verification procedure.

The OpenSSL CAcerts file format is just a number of certificates
concatenated together, separated by text headers that identify the

 ... (CA certificate in base64 encoding) ...
 ... (another CA certificate in base64 encoding) ...

I suggest we just use that.  Applications which want something fancier
are free to implement something :-).


More information about the Python-Dev mailing list