This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: load_verify_locations(cadata) should load AUX ASN.1 to supported trusted certs
Type: security Stage: needs patch
Components: Extension Modules, SSL Versions: Python 3.8
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: alex, christian.heimes, dstufft, giampaolo.rodola, janssen, pitrou
Priority: normal Keywords:

Created on 2016-03-02 12:24 by christian.heimes, last changed 2022-04-11 14:58 by admin.

Messages (1)
msg261109 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-03-02 12:24 
https://docs.python.org/2/library/ssl.html#ssl.SSLContext.load_verify_locations can load certs from a file, a directory or from memory. OpenSSL's loaders for cafile and capath load auxiliary data of trusted certs. The custom loader for cadata ignores AUX data because it uses PEM_read_bio_X509() instead of PEM_read_bio_X509_AUX().

With the recent fix of OpenSSL 1.0.2 https://github.com/openssl/openssl/commit/a3baa171053547488475709c7197592c66e427cf trusted certificates now work again. I propose to change cadata to load trust settings, too.
History
Date User Action Args
2022-04-11 14:58:28adminsetgithub: 70658
2018-02-25 20:24:46christian.heimessetpriority: high -> normal
versions: + Python 3.8, - Python 2.7, Python 3.5, Python 3.6, Python 3.7
2016-09-15 07:49:47christian.heimessetcomponents: + SSL
2016-09-09 00:02:33christian.heimessetpriority: normal -> high
assignee: christian.heimes
versions: + Python 3.7
2016-06-12 11:22:52christian.heimessetassignee: christian.heimes -> (no value)
2016-03-02 12:24:40christian.heimescreate