Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include CA bundle and provide access to system's CA #61331

Closed
tiran opened this issue Feb 4, 2013 · 6 comments
Closed

Include CA bundle and provide access to system's CA #61331

tiran opened this issue Feb 4, 2013 · 6 comments
Labels
stdlib Python modules in the Lib dir type-security A security issue

Comments

@tiran
Copy link
Member

tiran commented Feb 4, 2013

BPO 17129
Nosy @jcea, @pitrou, @tiran, @ned-deily, @merwok
Superseder
  • bpo-13655: Python SSL stack doesn't have a default CA Store
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2013-02-05.16:39:55.638>
created_at = <Date 2013-02-04.19:32:33.335>
labels = ['type-security', 'library']
title = "Include CA bundle and provide access to system's CA"
updated_at = <Date 2013-02-05.16:39:55.637>
user = 'https://github.com/tiran'

    bugs.python.org fields:

    activity = <Date 2013-02-05.16:39:55.637>
actor = 'eric.araujo'
assignee = 'none'
closed = True
closed_date = <Date 2013-02-05.16:39:55.638>
closer = 'eric.araujo'
components = ['Library (Lib)']
creation = <Date 2013-02-04.19:32:33.335>
creator = 'christian.heimes'
dependencies = []
files = []
hgrepos = []
issue_num = 17129
keywords = []
message_count = 6.0
messages = ['181379', '181382', '181411', '181415', '181444', '181446']
nosy_count = 5.0
nosy_names = ['jcea', 'pitrou', 'christian.heimes', 'ned.deily', 'eric.araujo']
pr_nums = []
priority = 'high'
resolution = 'duplicate'
stage = 'resolved'
status = 'closed'
superseder = '13655'
type = 'security'
url = 'https://bugs.python.org/issue17129'
versions = ['Python 2.6', 'Python 2.7', 'Python 3.2', 'Python 3.3', 'Python 3.4']
    @tiran
    Copy link
    Member Author

    tiran commented Feb 4, 2013

    For effective SSL server cert validation a bundle of trustworthy CA certs is required. Most system ship such a bundle but it's not always possible to access the bundle from Python / OpenSSL. Windows and Mac OS X come into my mind. wget and curl ship a copy of Mozilla's CA cert bundle.

    The site http://curl.haxx.se/docs/caextract.html explains how to extract the CA certs in PEM format. I suggest that we ship the CA bundle with Python and use a lookup chain:

    • user defined path to a cacert directory or cacert.pem file

    • cacert directory or PEM file in the user's home directory:
      cacertdir = os.path.join(site.USER_SITE, os.pardir, "cacert")
      cacertfile = os.path.join(site.USER_SITE, os.pardir, "cacert.pem")

    • system's ca cert directory (/etc/ssl/certs on Linux)

    • CA cert bundle shipped with the Python installation.

    @tiran tiran added stdlib Python modules in the Lib dir type-security A security issue labels Feb 4, 2013
    @pitrou
    Copy link
    Member

    pitrou commented Feb 4, 2013

    Shouldn't it be a duplicate of bpo-13655?

    @ned-deily
    Copy link
    Member

    FYI, at the moment, the PSF OS X installers dynamically link with the operating system supplied libssl and use its CA management policies. bpo-17128 proposes changing that because Apple has deprecated the use of the system openssl in OS X.

    @merwok
    Copy link
    Member

    merwok commented Feb 5, 2013

    Agree this is a duplicate. I also think it’s a feature request.

    @tiran
    Copy link
    Member Author

    tiran commented Feb 5, 2013

    Yes, it's a duplicate of bpo-13665. Sorry, I didn't make a proper search. Although this is a new feature it's a fundament for cert validation.

    @tiran
    Copy link
    Member Author

    tiran commented Feb 5, 2013

    I found a recipe to retrieve CA certs from Window's cert store, see bpo-17134.

    @merwok merwok closed this as completed Feb 5, 2013
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    stdlib Python modules in the Lib dir type-security A security issue
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    4 participants
    @tiran @merwok @pitrou @ned-deily