[Python-Dev] RFC: Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7
Cory Benfield
cory at lukasa.co.uk
Thu Jun 1 07:05:04 EDT 2017
> On 1 Jun 2017, at 11:51, Antoine Pitrou <solipsis at pitrou.net> wrote:
>
> On Thu, 1 Jun 2017 11:45:14 +0100
> Cory Benfield <cory at lukasa.co.uk> wrote:
>>
>> I am claiming that using OpenSSL certificate validation with root stores that are not intended for OpenSSL can be. This is because trust of a certificate is non-binary. For example, consider WoSign. The Windows TLS implementation will distrust certificates that chain up to WoSign as a root certificate that were issued after October 21 2016. This is not something that can currently be represented as a PEM file. Therefore, the person exporting the certs needs to choose: should that be exported or not? If it is, then OpenSSL will happily trust it even in situations where the system trust store would not.
>
> I was not talking about exporting the whole system CA as a PEM file, I
> was talking about adding an option for system adminstrators to
> configure an extra CA certificate to be recognized by pip.
Generally speaking system administrators aren’t wild about this option, as it means that they can only add to the trust store, not remove from it. So, while possible, it’s not a complete solution to this issue. I say this because the option *already* exists, at least in part, via the REQUESTS_CA_BUNDLE environment variable, and we nonetheless still get many complaints from system administrators.
>> More generally, macOS allows the administrator to configure graduated trust: that is, to override whether or not a root should be trusted for certificate validation in some circumstances. Again, exporting this to a PEM does not persist this information.
>
> How much of this is relevant to pip?
Depends. If the design goal is “pip respects the system administrator”, then the answer is “all of it”. An administrator wants to be able to configure their system trust settings. Ideally they want to do this once, and once only, such that all applications on their system respect it.
Cory
More information about the Python-Dev
mailing list