[Python-Dev] SSL certificates recommendations for downstream python packagers

David Cournapeau cournape at gmail.com
Mon Jan 30 08:53:15 EST 2017


I am managing the team responsible for providing python packaging at
Enthought, and I would like to make sure we are providing a good (and
secure) out of the box experience for SSL.

My understanding is that PEP 476 is the latest PEP that concerns this
issue, and that PEP recommends using the system store:
https://www.python.org/dev/peps/pep-0476/#trust-database. But looking at
binary python distributions from python.org, that does not seem to a.ways
be the case. I looked at the following:

* 3.5.3 from python.org for OS X (64 bits): this uses the old, system
* 3.6.0 from python.org for OS X: this embeds a recent openssl, but ssl
seems to be configured to use non existing paths
(ssl..get_default_verify_paths()), and indeed, cert validation seems to
fail by default with those installers
* 3.6.0 from python.org for windows: I have not found how the ssl module
finds the certificate, but certification seems to work

Are there any official recommendations for downstream packagers beyond PEP
476 ? Is it "acceptable" for downstream packagers to patch python's default
cert locations ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20170130/5f51d0d4/attachment-0001.html>

More information about the Python-Dev mailing list