[Python-Dev] PEP476: Enabling certificate validation by default
Christian Heimes
christian at python.org
Sun Sep 21 12:57:05 CEST 2014
On 21.09.2014 01:03, Nick Coghlan wrote:
> We may also need some clarification from Ned regarding the status of
> OpenSSL and the potential impact switching from dynamic linking to
> static linking of OpenSSL may have in terms of the
> "OPENSSL_X509_TEA_DISABLE" setting.
You may want to ask Hynek, too. He initially discovered the issue and
made me aware how Apple is tying keychain into OpenSSL. You may find the
code in:
http://opensource.apple.com/source/OpenSSL098/OpenSSL098-35.1/src/crypto/x509/x509_vfy_apple.h
http://opensource.apple.com/source/OpenSSL098/OpenSSL098-35.1/src/crypto/x509/x509_vfy_apple.c
The TEA (Trust Evaluation Agent) switch is global and affects all SSL
context instances. There is non canonical way to set the TEA flag for a
single context or socket.
/* -1: not set
* 0: set to false
* 1: set to true
*/
static tea_enabled = -1;
void
X509_TEA_set_state(int change)
{
tea_enabled = (change) ? 1 : 0;
}
int
X509_TEA_is_enabled()
{
if (tea_enabled < 0)
tea_enabled = (NULL == getenv(X509_TEA_ENV_DISABLE));
return tea_enabled != 0;
}
More information about the Python-Dev
mailing list