[Python-Dev] RFC: Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7

Cory Benfield cory at lukasa.co.uk
Thu Jun 1 06:23:03 EDT 2017


> On 1 Jun 2017, at 11:18, Antoine Pitrou <solipsis at pitrou.net> wrote:
> 
> On Thu, 1 Jun 2017 20:05:48 +1000
> Chris Angelico <rosuav at gmail.com> wrote:
>> 
>> As stated in this thread, OS-provided certificates are not handled by
>> that. For instance, if a local administrator distributes a self-signed
>> cert for the intranet server, web browsers will use it, but pip will
>> not.
> 
> That's true.  But:
> 1) pip could grow a config entry to set an alternative or additional CA
> path

No it can’t.

Exporting the Windows or macOS security store to a big file of PEM is a security vulnerability because the macOS and Windows security stores expect to work with their own certificate chain building algorithms. OpenSSL builds chains differently, and disregards some metadata that Windows and macOS store, which means that cert validation will work differently than in the system store. This can lead to pip accepting a cert marked as “untrusted for SSL”, for example, which would be pretty bad.

Cory


More information about the Python-Dev mailing list