[Python-Dev] PEP 476: Enabling certificate validation by default!
christian at python.org
Sun Aug 31 19:23:53 CEST 2014
On 31.08.2014 08:24, Nick Coghlan wrote:
> To answer David's specific question, the existing knobs at the OpenSSL
> level (SSL_CERT_DIR and SSL_CERT_FILE ) let people add an internal CA,
> opt out of the default CA system, and trust *specific* self-signed
This works only on Unix platforms iff SSL_CERT_DIR and SSL_CERT_FILE are
both set to a non-empty string that points to non-existing files or
something like /dev/null.
On Windows my enhancement will always cause the system trust store to
kick in. There is currently no way to disable the Windows system store
for ssl.create_default_context() and ssl._create_stdlib_context() with
the functions' default arguments.
On Mac OS X the situation is even more obscure. Apple's OpenSSL binaries
are using Apple's Trust Evaluation Agent. You have to set
OPENSSL_X509_TEA_DISABLE=1 in order to prevent the agent from adding
trusted certs from OSX key chain. Hynek Schlawack did a deep dive into
> A Python-specific user level cert store is something that could be
> developed as a PyPI library for Python 2.7.9+ and 3.4+ (Is cert
> management considered in scope for cryptography.io? If so, that could
> be a good home).
Python's SSL module is lacking some functionalities in order to
implement a fully functional cert store.
* no verify hook to verify each certificate in the chain like
* no way to get the full cert chain including the root certificate.
* no API to get the subject public key information (SPKI). The SPKI hash
can be used to identify a certificate. For example it's used in Google's
* the cert validation exception could use some additional information.
There are probably some more things mising. An X509 object would help, too.
More information about the Python-Dev