ssl.get_default_verify_paths() #62343
Comments
|
The patch implements a get_default_verify_paths() function for the ssl module. It returns the env vars and paths that are used by openssl's set_default_verify_paths() to load CA certs from default locations. I think it makes a useful addition for debugging purposes. On my system: >>> import ssl
>>> ssl.get_default_verify_paths()
(None, '/usr/lib/ssl/certs')
>>> ssl.get_default_verify_paths(raw=True)
('SSL_CERT_FILE', '/usr/lib/ssl/cert.pem', 'SSL_CERT_DIR', '/usr/lib/ssl/certs')SSL_CTX_set_default_verify_paths() first tries the env var. If the env var is set the second element is ignored. |
|
I have no clue what is being returned by this function. Any chance of using types.SimpleNamespace to give meaningful names to the returned values instead of a tuple? |
|
Sure! I can add SimpleNamespace. The C function returns four elements:
SSLContext.set_default_verify_paths() is unable to return information if it was able to load any CA certs. With get_default_verify_paths() a developer is able to debug which file or directory is used by OpenSSL. The code is based on OpenSSL's X509_STORE_set_default_paths(). If you want to read up on it: http://cvs.openssl.org/fileview?f=openssl/crypto/x509/x509_d2.c&v=1.7 |
|
I forgot that a SimpleNamespace is an unorder collection. However the order is significant. OpenSSL uses the cafile first and ignores capath if a cert in cafile matches. The path to cafile or capath is ignored when the environment key exists -- even when it doesn't point to any existing file or directory. I think a named tuple is better here. |
|
How about that output, Brett? cafile is None because /usr/lib/ssl/cert.pem doesn't exist on my system. >>> import ssl
>>> ssl.get_default_verify_paths()
DefaultVerifyPaths(cafile=None, capath='/usr/lib/ssl/certs')
>>> ssl.get_default_verify_paths(raw=True)
RawDefaultVerifyPaths(cafile_env_key='SSL_CERT_FILE', cafile='/usr/lib/ssl/cert.pem', capath_env_key='SSL_CERT_DIR', capath='/usr/lib/ssl/certs') |
|
That's better. As long as you use result[1::2] then the tuple is reasonable to use for the order need and still make sense as an iterable. |
|
New patch with tests and documentation. |
|
Your "raw" parameter is one too many IMO. You should find a way to present all relevant information in a single API call. |
|
How about a single return value: DefaultVerifyPaths = collections.namedtuple("DefaultVerifyPaths",
"cafile capath openssl_cafile_env openssl_cafile openssl_capath_env openssl_capath") |
Sounds good. |
|
New changeset a4d31e56075d by Christian Heimes in branch 'default': |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: