Message160431
> What about a patch to handle a directory store passed through the
> ca_certs parameter? As it stands now, it's impossible to load the
> distribution-supplied cert store on openSUSE.
I'm afraid it would still be a new feature, unsuitable for a bugfix release. Other distros simply have both a directory-based cert store and a cert bundle. In Mageia I see both /etc/pki/tls/rootcerts/ (a directory-based cert store) and /etc/pki/tls/certs/ca-bundle.crt (a single file cert bundle). (yes, I hope they're synchronized :))
Generally, the only reason we would add a new feature in a bugfix release is if it's necessary to fix a security issue (such as the hash randomization feature). Here it's not necessary: you could simply ship a cert bundle in addition to the cert store. I suppose its generation is easily automated with a script.
(and, yes, the ssl module has long lacked important features; its history is a bit bumpy)
Again, for 3.3, a patch allowing urllib.request to call load_default_verify_locations() could be a good idea. |
|
Date |
User |
Action |
Args |
2012-05-11 17:34:03 | pitrou | set | recipients:
+ pitrou, jfunk, eric.araujo |
2012-05-11 17:34:03 | pitrou | set | messageid: <1336757643.07.0.859542986352.issue14780@psf.upfronthosting.co.za> |
2012-05-11 17:34:02 | pitrou | link | issue14780 messages |
2012-05-11 17:34:02 | pitrou | create | |
|