[Python-Dev] SSL certificates recommendations for downstreampython packagers

Cory Benfield cory at lukasa.co.uk
Wed Feb 1 10:32:45 EST 2017

> On 1 Feb 2017, at 14:20, Steve Dower <steve.dower at python.org> wrote:
> Sorry, I misspoke when I said "certificate validation callback", I meant the same callback Cory uses below (name escapes me now, but it's unfortunately similar to what I said). There are two callbacks in OpenSSL, one that allows you to verify each certificate in the chain individually, and one that requires you to validate the entire chain.
> I do indeed take the entire chain in one go and pass it to the OS API. Christian also didn't like that I was bypassing *all* of OpenSSL's certificate handling here, but maybe there's a way to make it reliable if Chrome has done it?

So, my understanding is that bypassing OpenSSL’s cert handling is basically fine. The risks are only in cases where OpenSSL’s cert handling would be a supplement to what the OS provides, which is not really very common and I don’t think is a major risk for Python.

So in general, it is not unreasonable to ask your OS “are these certificates valid for this connection based on your trust DB” and circumventing OpenSSL entirely there. Please do bear in mind you need to ask your OS the right question. For Windows this stuff is actually kinda hard because the API is somewhat opaque, but you have to worry about setting correct certificate usages, building up chain policies, and then doing appropriate error handling (AFAIK the crypto API can “fail validation” for some reasons that have nothing to do with validation itself, so worth bearing that in mind).

The TL;DR is: I understand Christian’s concern, but I don’t think it’s important if you’re very, very careful.


More information about the Python-Dev mailing list