[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

[Donald Stufft]

On Jun 3, 2013, at 4:19 PM, Christian Heimes <christian at python.org> wrote:

> Am 03.06.2013 21:52, schrieb Antoine Pitrou:
>> cadefault=True will probably be fail if the system certs are not
>> properly configured in OpenSSL, e.g. under Windows or with a hand-made
>> OpenSSL build.
>> And, because of the way the OpenSSL API works, there's no way of
>> knowing if it is the case or not:
>> http://docs.python.org/3.4/library/ssl.html#ssl.SSLContext.set_default_verify_paths
> 
> I only see an issue for uncommon Linux distributions and exotic Unices.
> 
> For Windows an interface to crypt32 API solves the CA issue as shown in
> my wincertstore module. It gives the user the same SSL experience as
> Internet Explorer.
> 
> Most Linux and BSD-ish operating systems have SSL certs at some standard
> location.
> https://bitbucket.org/pypa/setuptools/src/6de3186fdfd9f5b543380e9aca2d48976cfc38cd/setuptools/ssl_support.py?at=default#cl-15
> lists a couple of standard locations.
> 
> Under which conditions do we need to ship a CA cert file?
> 
> Christian
> 
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/donald%40stufft.io


What about OSX?

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/0b218f15/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/0b218f15/attachment.pgp>