[Python-Dev] SSL issues in Python stdlib and 3rd party code

Antoine Pitrou solipsis at pitrou.net
Mon Aug 12 20:06:47 CEST 2013


On Mon, 12 Aug 2013 19:18:17 +0200
Christian Heimes <christian at python.org> wrote:
> related issue: Mozilla's certdata.txt and CKT_NSS_MUST_VERIFY_TRUST
> - -------------------------------------------------------------------
> Recently I found bugs in curl's mk-ca-bundle.pl script, its cacert.pem
> and in the CA bundle of eGenix.com pyOpenSSL Distribution. Both failed
> to handle a new option in Mozilla's certdata.txt database correctly.
> As a consequence the root CA bundles contained additionally and
> untrustworthy root certificates. I'm not sure about the severity of
> the issue.

Which goes to show that not bundling our own set of CA certificates is
the safest route.



More information about the Python-Dev mailing list