Author ronaldoussoren
Recipients benjamin.peterson, esc24, georg.brandl, larry, ned.deily, ronaldoussoren
Date 2013-02-04.21:46:09
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1360014369.59.0.968360053393.issue17128@psf.upfronthosting.co.za>
In-reply-to
Content
I'm not sure if it is worthwhile to switch right now.  Apple does deprecate the use of OpenSSL, but there version does offer a feature that's not in the default tree: it verifies SSL certificates against the CA list in the system keychain.   

This means that users that verify certificates (cert_reqs=CERT_REQUIRED in the ssl module) could see a regression when they don't specificy a custom CA list. Not having to maintain such a list manually is very convenient.

In the longer run I'd like to try if it is possible to implement the SSL module (and other extensions linking with openssl) using Apple's crypto APIs.

(Note that a clear disadvantage of the latter is that those APIs are "above" the unix layer and likely cause problems when you use fork(2) without exec(2)).
History
Date User Action Args
2013-02-04 21:46:09ronaldoussorensetrecipients: + ronaldoussoren, georg.brandl, larry, benjamin.peterson, ned.deily, esc24
2013-02-04 21:46:09ronaldoussorensetmessageid: <1360014369.59.0.968360053393.issue17128@psf.upfronthosting.co.za>
2013-02-04 21:46:09ronaldoussorenlinkissue17128 messages
2013-02-04 21:46:09ronaldoussorencreate