The mechanism is there for direct use of the SSL module, yes.  But the question is, what should indirect usage, like the httplib or urllib modules, do?  If they are going to check hostnames on use of an https: URL, they need some way to pass a ca_certs file through to the SSL code they use.
<br><br>Bill<br><br><div class="gmail_quote">On Dec 13, 2007 7:14 AM, Andreas Hasenack &lt;<a href="mailto:report@bugs.python.org">report@bugs.python.org</a>&gt; wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>Andreas Hasenack added the comment:<br><br>&gt; do it automatically. &nbsp;Unfortunately, that means that client-side<br>certificate<br>&gt; verification has to be done (it&#39;s pointless to look at the data in<br>&gt; unverified certificates), and that means that the client software has to
<br>&gt; have an appropriate collection of root certificates to verify against. &nbsp;I<br><br>But the current API already has this feature:<br>ssl_sock = ssl.wrap_socket(s, ca_certs=&quot;/etc/pki/tls/rootcerts/%s&quot; % cert,
<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;cert_reqs=ssl.CERT_REQUIRED)<br><br>So this is already taken care of with ca_certs and cert_reqs, right?<br><br>__________________________________<br>Tracker &lt;<a href="mailto:report@bugs.python.org">
report@bugs.python.org</a>&gt;<br>&lt;<a href="http://bugs.python.org/issue1589" target="_blank">http://bugs.python.org/issue1589</a>&gt;<br>__________________________________<br></blockquote></div><br>