This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author pitrou
Recipients eric.araujo, jfunk, pitrou
Date 2012-05-11.17:34:02
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1336757643.07.0.859542986352.issue14780@psf.upfronthosting.co.za>
In-reply-to
Content 
> What about a patch to handle a directory store passed through the
> ca_certs parameter? As it stands now, it's impossible to load the
> distribution-supplied cert store on openSUSE.

I'm afraid it would still be a new feature, unsuitable for a bugfix release. Other distros simply have both a directory-based cert store and a cert bundle. In Mageia I see both /etc/pki/tls/rootcerts/ (a directory-based cert store) and /etc/pki/tls/certs/ca-bundle.crt (a single file cert bundle). (yes, I hope they're synchronized :))

Generally, the only reason we would add a new feature in a bugfix release is if it's necessary to fix a security issue (such as the hash randomization feature). Here it's not necessary: you could simply ship a cert bundle in addition to the cert store. I suppose its generation is easily automated with a script.

(and, yes, the ssl module has long lacked important features; its history is a bit bumpy)

Again, for 3.3, a patch allowing urllib.request to call load_default_verify_locations() could be a good idea.
History
Date User Action Args
2012-05-11 17:34:03pitrousetrecipients: + pitrou, jfunk, eric.araujo
2012-05-11 17:34:03pitrousetmessageid: <1336757643.07.0.859542986352.issue14780@psf.upfronthosting.co.za>
2012-05-11 17:34:02pitroulinkissue14780 messages
2012-05-11 17:34:02pitroucreate