This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: SSLContext.load_verify_locations(cadata) does not accept CRLs
Type: behavior Stage: needs patch
Components: SSL Versions: Python 3.8
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: Ralph.Broenink, alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
Priority: low Keywords:

Created on 2014-09-08 14:54 by Ralph.Broenink, last changed 2022-04-11 14:58 by admin.

Messages (3)
msg226582 - (view) Author: Ralph Broenink (Ralph.Broenink) Date: 2014-09-08 14:54
Issue #18138 added support for the cadata argument in SSLContext.load_verify_locations. However, this argument does not support certificate revocation lists (CRLs) to be added (at least not in PEM format):

    ssl.SSLError: [PEM: NO_START_LINE] no start line (_ssl.c:2633)

The documentation of this method is rather vague on this subject and does not state explicitly this is not allowed:

    This method can also load certification revocation lists (CRLs) in PEM or or DER format. In order to make use of CRLs, SSLContext.verify_flags must be configured properly.

I think CRLs should be allowed to be loaded using the cadata argument. However, the documentation could use some polishing too: "At least one of cafile or capath must be specified." is outdated since the introduction of cadata.
msg226626 - (view) Author: Ralph Broenink (Ralph.Broenink) Date: 2014-09-09 06:46
Here's a minimal example of the issue, assuming you have obtained a CRL in PEM format, e.g. from https://www.emulab.net/genicrl.bundle:


    import ssl
    context = ssl.create_default_context()

    path = 'path/to/crl.crl'

    # Working:
    context.load_verify_locations(cafile=path)

    # Not working:
    with open(path, 'r') as f:
        context.load_verify_locations(cadata=f.read())


Replacing the path to the CRL with a path to a CA works in both cases.
msg301514 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-06 20:31
I'd rather not overload cadata with cert and CRL loading. It makes both code and usage messy. How about crldata argument? This would be a new feature, though.
History
Date User Action Args
2022-04-11 14:58:07adminsetgithub: 66561
2018-02-26 08:28:49christian.heimessetpriority: normal -> low
assignee: christian.heimes ->
components: - Extension Modules
versions: + Python 3.8, - Python 3.7
2017-09-06 20:31:56christian.heimessetmessages: + msg301514
versions: - Python 3.6
2016-09-15 07:56:00christian.heimessetassignee: christian.heimes
components: + SSL
2016-09-08 15:03:40christian.heimessetstage: needs patch
type: behavior
versions: + Python 3.6, Python 3.7, - Python 3.4
2014-09-09 06:46:25Ralph.Broeninksetmessages: + msg226626
2014-09-08 14:55:28alexsetnosy: + janssen, pitrou, giampaolo.rodola, christian.heimes, alex, dstufft
2014-09-08 14:54:46Ralph.Broeninkcreate