This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author ronaldoussoren
Recipients benjamin.peterson, brian.curtin, christian.heimes, eric.araujo, esc24, georg.brandl, larry, loewis, ned.deily, pitrou, ronaldoussoren
Date 2013-02-08.09:34:06
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
See also: issue 15740

A version of OpenSSL as included in some versions of OSX can be downloaded from <>, as mentioned in issue 15740 the versions as included in the most recent OS updates doesn't seem to be there.

I've downloaded OpenSSL098-35.1 and that includes files ./src/crypto/x509/x509_vfy_apple.h and ./src/crypto/x509/x509_vfy_apple.c which implement the behavior I mentioned earlier: first try to verify using the default OpenSSL mechanism, then verify using the TrustEvaluationAgent. 

Now that I look at that code again: we can't extract that code and use it to patch upstream OpenSSL, the TrustEvaluationAgent framework is a private framework and hence off limits.

It is probably possible to reimplement the same feature using public APIs, but that's new development and should be off-limits for a bugfix release (and isn't something that can be done very soon without risking to introduce new bugs in security-related code).

Direct link to the source code I mentioned:,

A blog about this feature by the one of the curl developers:

P.S. Apple doesn't exactly make it easy to find this information.
Date User Action Args
2013-02-08 09:34:07ronaldoussorensetrecipients: + ronaldoussoren, loewis, georg.brandl, pitrou, larry, christian.heimes, benjamin.peterson, ned.deily, eric.araujo, brian.curtin, esc24
2013-02-08 09:34:07ronaldoussorensetmessageid: <>
2013-02-08 09:34:07ronaldoussorenlinkissue17128 messages
2013-02-08 09:34:06ronaldoussorencreate