[Python-Dev] PEP 476: Enabling certificate validation by default!
martin at v.loewis.de
martin at v.loewis.de
Sat Aug 30 22:03:20 CEST 2014
Zitat von Christian Heimes <christian at python.org>:
> On 30.08.2014 17:22, Alex Gaynor wrote:
>> The Windows certificate store is used by ``load_default_certs``:
>>
>> * https://github.com/python/cpython/blob/master/Lib/ssl.py#L379-L381
>> * https://docs.python.org/3.4/library/ssl.html#ssl.enum_certificates
>
> The Windows part of load_default_certs() has one major flaw: it can only
> load certificates that are already in Windows's cert store. However
> Windows comes only with a small set of default certs and downloads more
> certs on demand. In order to trigger a download Python or OpenSSL would
> have to use the Windows API to verify root certificates.
It's better than you think. Vista+ has a weekly prefetching procedure that
should assure that virtually all root certificates are available:
http://support.microsoft.com/kb/931125/en-us
BTW, it's patented:
http://www.google.de/patents/US6816900
Regards,
Martin
More information about the Python-Dev
mailing list