[Python-Dev] SSL certificates recommendations for downstream python packagers

Christian Heimes christian at python.org
Mon Jan 30 16:10:21 EST 2017


On 2017-01-30 21:50, Cory Benfield wrote:
> 
> 
>> On 30 Jan 2017, at 13:53, David Cournapeau <cournape at gmail.com> wrote:
>>
>> Are there any official recommendations for downstream packagers beyond PEP 476 ? Is it "acceptable" for downstream packagers to patch python's default cert locations ?
> 
> There *are* no default cert locations on Windows or macOS that can be accessed by OpenSSL.
> 
> I cannot stress this strongly enough: you cannot provide a platform-native certificate validation logic for Python *and* use OpenSSL for certificate validation on Windows or macOS. (macOS can technically do this when you link against the system OpenSSL, at the cost of using a catastrophically insecure version of OpenSSL.) 

In theory it is possible for Python and OpenSSL, too. I looked into a
custom X509_LOOKUP_METHOD to locate trust anchors by subject. Steve is
trying an alternative approach in https://bugs.python.org/issue28747. It
ain't pretty and we are not there yet, too. Native support for SChannel
and SecureTransport has some benefits.

It's too bad OpenSSL lacks support for PKCS#11 Trust Assertion Objects.
We could use
https://p11-glue.freedesktop.org/doc/pkcs11-trust-assertions/#pkcs11-objects
under Linux and the PKCS#11 under Windows and macOS.

Christian


More information about the Python-Dev mailing list