classification
Title: Include CA bundle and provide access to system's CA
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 3.4, Python 3.2, Python 3.3, Python 2.7, Python 2.6
process
Status: closed Resolution: duplicate
Dependencies: Superseder: Python SSL stack doesn't have a default CA Store
View: 13655
Assigned To: Nosy List: christian.heimes, jcea, merwok, ned.deily, pitrou
Priority: high Keywords:

Created on 2013-02-04 19:32 by christian.heimes, last changed 2013-02-05 16:39 by merwok. This issue is now closed.

Messages (6)
msg181379 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-02-04 19:32
For effective SSL server cert validation a bundle of trustworthy CA certs is required. Most system ship such a bundle but it's not always possible to access the bundle from Python / OpenSSL. Windows and Mac OS X come into my mind. wget and curl ship a copy of Mozilla's CA cert bundle.

The site http://curl.haxx.se/docs/caextract.html explains how to extract the CA certs in PEM format. I suggest that we ship the CA bundle with Python and use a lookup chain:

- user defined path to a cacert directory or cacert.pem file

- cacert directory or PEM file in the user's home directory: 
  cacertdir = os.path.join(site.USER_SITE, os.pardir, "cacert")
  cacertfile = os.path.join(site.USER_SITE, os.pardir, "cacert.pem")

- system's ca cert directory (/etc/ssl/certs on Linux)

- CA cert bundle shipped with the Python installation.
msg181382 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-02-04 19:42
Shouldn't it be a duplicate of issue13655?
msg181411 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2013-02-05 03:24
FYI, at the moment, the PSF OS X installers dynamically link with the operating system supplied libssl and use its CA management policies.  Issue17128 proposes changing that because Apple has deprecated the use of the system openssl in OS X.
msg181415 - (view) Author: Éric Araujo (merwok) * (Python committer) Date: 2013-02-05 03:51
Agree this is a duplicate.  I also think it’s a feature request.
msg181444 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-02-05 15:27
Yes, it's a duplicate of #13665. Sorry, I didn't make a proper search. Although this is a new feature it's a fundament for cert validation.
msg181446 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-02-05 15:33
I found a recipe to retrieve CA certs from Window's cert store, see #17134.
History
Date User Action Args
2013-02-05 16:39:55merwoksetstatus: open -> closed
superseder: Python SSL stack doesn't have a default CA Store
resolution: duplicate
stage: resolved
2013-02-05 15:33:58christian.heimessetmessages: + msg181446
2013-02-05 15:27:03christian.heimessetmessages: + msg181444
2013-02-05 03:51:16merwoksetnosy: + merwok
messages: + msg181415
2013-02-05 03:32:02jceasetnosy: + jcea
2013-02-05 03:24:11ned.deilysetnosy: + ned.deily
messages: + msg181411
2013-02-04 19:42:07pitrousetnosy: + pitrou
messages: + msg181382
2013-02-04 19:33:56christian.heimeslinkissue12226 dependencies
2013-02-04 19:32:33christian.heimescreate