[Python-Dev] Looking for volunteers to test Tulip on Windows
Christian Heimes
christian at python.org
Sat Oct 19 14:44:14 CEST 2013
Am 19.10.2013 00:56, schrieb Guido van Rossum:
> Thanks! That's probably fine for now -- it means the standard library
> doesn't know where the root certificates are. We had a huge discussion
> about this over on python-tulip:
> https://groups.google.com/forum/#!topic/python-tulip/c_lqdFjPEbE
>
> TL;DR: The stdlib openssl wrapper ought to know where each platform
> stores its root certificates and automatically use them, but it
> currently doesn't always. Users who really don't care but still want to
> use SSL must create an SSL context with verify_mode set to ssl.CERT_NONE
> (and live with the risk, obviously). This stuff passes on OS X only
> because there's a system openssl library that always uses the system
> root certificates.
>
> If anyone can help fixing the ssl.py module (or the _ssl extension) so
> that sslcontext.set_default_verify_paths() uses the system root certs on
> Windows that would be a huge help. (I have tried this on an Ubuntu box
> too, and there it actually works.)
I have worked on some patches and even started to write a PEP about it.
You can find an old version of my PEP at
https://bitbucket.org/tiran/peps/src/tip/pep-9999.txt . The PEP contains
a list of possible locations of root CA certs.
The root CA certificate situation is troublesome. Several parsers for
Mozilla's NSS certdata.txt are plain wrong and don't handle purpose /
trust settings correctly. Even Ubuntu is affected by the bug. The
/etc/ssl/certs/ directory contains certificates that are NOT suitable
for server cert verification.
A couple of months I had a long and fruitful discussion with MAL about
the issue. Egenix PyOpenSSL installer comes with a root CA bundle. He
tried a couple of approaches to handle trust settings with OpenSSL
means. Eventually MAL had to split up the bundle into multiple files for
each purpuse, see
http://www.egenix.com/company/news/eGenix-pyOpenSSL-Distribution-0.13.2.1.0.1.5.html
We should *really* write a PEP about it, specify all details and get a
proper review from real experts. This stuff is super complex and highly
fragile. :(
Christian
More information about the Python-Dev
mailing list