[Python-Dev] PEP 476: Enabling certificate validation by default!

Christian Heimes christian at python.org
Sun Aug 31 19:23:53 CEST 2014

On 31.08.2014 08:24, Nick Coghlan wrote:
> To answer David's specific question, the existing knobs at the OpenSSL
> level (SSL_CERT_DIR and SSL_CERT_FILE ) let people add an internal CA,
> opt out of the default CA system, and trust *specific* self-signed
> certs.

This works only on Unix platforms iff SSL_CERT_DIR and SSL_CERT_FILE are
both set to a non-empty string that points to non-existing files or
something like /dev/null.

On Windows my enhancement will always cause the system trust store to
kick in. There is currently no way to disable the Windows system store
for ssl.create_default_context() and ssl._create_stdlib_context() with
the functions' default arguments.

On Mac OS X the situation is even more obscure. Apple's OpenSSL binaries
are using Apple's Trust Evaluation Agent. You have to set
OPENSSL_X509_TEA_DISABLE=1 in order to prevent the agent from adding
trusted certs from OSX key chain. Hynek Schlawack did a deep dive into
it. https://hynek.me/articles/apple-openssl-verification-surprises/

> A Python-specific user level cert store is something that could be
> developed as a PyPI library for Python 2.7.9+ and 3.4+ (Is cert
> management considered in scope for cryptography.io? If so, that could
> be a good home).

Python's SSL module is lacking some functionalities in order to
implement a fully functional cert store.

* no verify hook to verify each certificate in the chain like


* no way to get the full cert chain including the root certificate.

* no API to get the subject public key information (SPKI). The SPKI hash
can be used to identify a certificate. For example it's used in Google's
CRLSet. http://dev.chromium.org/Home/chromium-security/crlsets

* the cert validation exception could use some additional information.

There are probably some more things mising. An X509 object would help, too.


More information about the Python-Dev mailing list