[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

Ned Deily nad at acm.org
Mon Jun 3 23:24:59 CEST 2013

In article <699D9AB5-26E0-4CCE-89C5-8E92C3305BDE at stufft.io>,
 Donald Stufft <donald at stufft.io> wrote:
> On Jun 3, 2013, at 4:19 PM, Christian Heimes <christian at python.org> wrote: 
> > Most Linux and BSD-ish operating systems have SSL certs at some standard
> > location.
> > https://bitbucket.org/pypa/setuptools/src/6de3186fdfd9f5b543380e9aca2d48976c
> > fc38cd/setuptools/ssl_support.py?at=default#cl-15
> > lists a couple of standard locations.
> > Under which conditions do we need to ship a CA cert file?
> What about OSX?

OS X has an actively managed set of CA certs, by Apple and with 
provision for users to tailor their security policies (add/modify/delete 
certs and their policies via either a gui or cli).  For python.org OS X 
installers, we currently depend on the system-provided versions of 
libssl and libcrypto which use the system/user cert infrastructure.  But 
Apple has deprecated the OpenSSL-compatible APIs and we have an open 
issue (Issue17128) to move to supplying our own copy of OpenSSL libs.  
One hangup has been what to do about the certs.  One solution would be 
to use a Python distribution of them as discussed here.  Another, 
probably better for users, solution is to continue to use the existing 
system/user cert infrastructure; recently, we've seen a new approach to 
that which we need to look into: 
http://bugs.python.org/issue17128#msg189244.  Third-party distributors 
of Python on OS X may use other solutions; for example, MacPorts already 
ships and links with its own version of OpenSSL.

 Ned Deily,
 nad at acm.org

More information about the Python-Dev mailing list