[Python-Dev] Verification of SSL cert and hostname made easy

Ronald Oussoren ronaldoussoren at mac.com
Sun Dec 1 18:03:47 CET 2013

> On 30 nov. 2013, at 19:29, Christian Heimes <christian at python.org> wrote:
> With CERT_REQUIRED OpenSSL verifies that the peer's certificate is
> directly or indirectly signed by a trusted root certification authority.
> With Python 3.4 the ssl module is able to use/load the system's trusted
> root certs on all major systems (Linux, Mac, BSD, Windows). On Linux and
> BSD it requires a properly configured system openssl to locate the root
> certs. This usually works out of the box. On Mac Apple's openssl build
> is able to use the keychain API of OSX. I have added code for Windows'
> system store.

Note that only Apple's build of OpenSSL integrates with keychain, other builds don't. The patch for keychain integration is on Apple's open source site but that isn't very helpful because that code uses a private API to do most of the work.   

This almost certainly means that users of fink, macports and the like cannot use the system keystore. 

It is probably possible to use the Keychain API to verify certificates, I haven't seriously looked into that yet and there is a risk of using higher level APIs: those tend to not like calling fork without calling execv soon after and that could break existing scripts. 


More information about the Python-Dev mailing list