[Python-Dev] PEP 476: Enabling certificate validation by default!

Christian Heimes christian at python.org
Sun Aug 31 13:18:28 CEST 2014

On 30.08.2014 00:22, Antoine Pitrou wrote:
> SSL_CERT_DIR and SSL_CERT_FILE are used, if set, when
> SSLContext.load_verify_locations() is called.
> Actually, come to think of it, this allows us to write a better
> test for that method. Patch welcome!

The environment vars are used only when
SSLContext.set_default_verify_paths() is called. load_verify_locations()
loads certificates from a given file, directory or memory but it doesn't
look at the env vars.

create_default_context() calls SSLContext.load_default_certs() when
neither cafile, capath nor cadata is given as an argument.
SSLContext.load_default_certs() then calls
SSLContext.set_default_verify_paths(). However there is a catch:
SSLContext.set_default_verify_paths() is not called on Windows. In
retrospective it was a bad decision by me to omit the call.



PS: SSL_CERT_DIR and SSL_CERT_FILE are the default names. It's possible
to change the names in OpenSSL. ssl.get_default_verify_paths() returns
the names and paths to the default verify locations.

More information about the Python-Dev mailing list