[Python-Dev] SSL certificates recommendations for downstream python packagers
David Cournapeau
cournape at gmail.com
Mon Jan 30 16:00:21 EST 2017
On Mon, Jan 30, 2017 at 8:50 PM, Cory Benfield <cory at lukasa.co.uk> wrote:
>
>
> > On 30 Jan 2017, at 13:53, David Cournapeau <cournape at gmail.com> wrote:
> >
> > Are there any official recommendations for downstream packagers beyond
> PEP 476 ? Is it "acceptable" for downstream packagers to patch python's
> default cert locations ?
>
> There *are* no default cert locations on Windows or macOS that can be
> accessed by OpenSSL.
>
> I cannot stress this strongly enough: you cannot provide a platform-native
> certificate validation logic for Python *and* use OpenSSL for certificate
> validation on Windows or macOS. (macOS can technically do this when you
> link against the system OpenSSL, at the cost of using a catastrophically
> insecure version of OpenSSL.)
>
Ah, thanks, that's already useful information.
Just making sure I understand: this means there is no way to use python's
SSL library to use the system store on windows, in particular private
certifications that are often deployed by internal ITs in large orgs ?
> The only program I am aware of that does platform-native certificate
> validation on all three major desktop OS platforms is Chrome. It does this
> using a fork of OpenSSL to do the actual TLS, but the platform-native
> crypto library to do the certificate validation. This is the only
> acceptable way to do this, and Python does not expose the appropriate hooks
> to do it from within Python code. This would require that you carry
> substantial patches to the standard library to achieve this, all of which
> would be custom code. I strongly recommend you don't undertake to do this
> unless you are very confident of your ability to write this code correctly.
>
That's exactly what I was afraid of and why I asked before attempting
anything.
>
> The best long term solution to this is to stop using OpenSSL on platforms
> that don't consider it the 'blessed' approach. If you're interested in
> following that work, we're currently discussing it on the security-SIG, and
> you'd be welcome to join.
>
Thanks, I will see if it looks like I have anything to contribute.
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20170130/c88d16cc/attachment.html>
More information about the Python-Dev
mailing list