[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
nad at acm.org
Mon Jun 3 23:24:59 CEST 2013
In article <699D9AB5-26E0-4CCE-89C5-8E92C3305BDE at stufft.io>,
Donald Stufft <donald at stufft.io> wrote:
> On Jun 3, 2013, at 4:19 PM, Christian Heimes <christian at python.org> wrote:
> > Most Linux and BSD-ish operating systems have SSL certs at some standard
> > location.
> > https://bitbucket.org/pypa/setuptools/src/6de3186fdfd9f5b543380e9aca2d48976c
> > fc38cd/setuptools/ssl_support.py?at=default#cl-15
> > lists a couple of standard locations.
> > Under which conditions do we need to ship a CA cert file?
> What about OSX?
OS X has an actively managed set of CA certs, by Apple and with
provision for users to tailor their security policies (add/modify/delete
certs and their policies via either a gui or cli). For python.org OS X
installers, we currently depend on the system-provided versions of
libssl and libcrypto which use the system/user cert infrastructure. But
Apple has deprecated the OpenSSL-compatible APIs and we have an open
issue (Issue17128) to move to supplying our own copy of OpenSSL libs.
One hangup has been what to do about the certs. One solution would be
to use a Python distribution of them as discussed here. Another,
probably better for users, solution is to continue to use the existing
system/user cert infrastructure; recently, we've seen a new approach to
that which we need to look into:
http://bugs.python.org/issue17128#msg189244. Third-party distributors
of Python on OS X may use other solutions; for example, MacPorts already
ships and links with its own version of OpenSSL.
nad at acm.org
More information about the Python-Dev