[Python-Dev] RFC: Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7

Antoine Pitrou solipsis at pitrou.net
Thu Jun 1 06:51:41 EDT 2017


On Thu, 1 Jun 2017 11:45:14 +0100
Cory Benfield <cory at lukasa.co.uk> wrote:
> 
> I am claiming that using OpenSSL certificate validation with root stores that are not intended for OpenSSL can be. This is because trust of a certificate is non-binary. For example, consider WoSign. The Windows TLS implementation will distrust certificates that chain up to WoSign as a root certificate that were issued after October 21 2016. This is not something that can currently be represented as a PEM file. Therefore, the person exporting the certs needs to choose: should that be exported or not? If it is, then OpenSSL will happily trust it even in situations where the system trust store would not.

I was not talking about exporting the whole system CA as a PEM file, I
was talking about adding an option for system adminstrators to
configure an extra CA certificate to be recognized by pip.

> More generally, macOS allows the administrator to configure graduated trust: that is, to override whether or not a root should be trusted for certificate validation in some circumstances. Again, exporting this to a PEM does not persist this information.

How much of this is relevant to pip?

Regards

Antoine.




More information about the Python-Dev mailing list