[Python-Dev] ssl improvements and testing question

Christian Heimes christian at python.org
Fri Jun 7 00:37:01 CEST 2013


I'm working on a couple of improvements for the ssl module:


#17134 is going to provide a way to use Window's crypt32.dll to load CA
certs from Window's CA cert storage. I have a working proof of concept
[1] that uses ctypes to interface crypt32.dll. I'll reimplement the code
in C.

#18138 implements the bits and pieces for #17134 in order to add DER and
PEM certs from memory (ASCII unicode or Py_Buffer). Until now the ssl
module can only load files from the file system.

#18143 and #18147 are diagnostic and debugging helpers that I would like
to add. The SSLContext() object is black box. You stuff in some PEM
files and don't know which CA certs have been loaded. The enhancements
implement a function to retrieve a list of CA certs (same format as
getpeercert()) and list of default CA locations for the platform.

I'm also thinking about OCSP support and X509v3 extension support for
_decode_certificate(). Both are a PITB ... Python has an easier and
better documented C API.

What's the minimum version of OpenSSL Python 3.4 is going to support? Do
we have an easy way to compile and link Python against a custom
installation of OpenSSL or do I have to fiddle around with CPPFLAGS and


[1] https://pypi.python.org/pypi/wincertstore

More information about the Python-Dev mailing list