Message192601
I think we can improve the situation with shipping our own CA certs. Almost every operating system or distribution comes with a set of CA certs.
I lots of Linux distributions and most BSD systems. All except FreeBSD install CA certs by default. A fresh FreeBSD systems doesn't have certs but ``pkg_add -r ca-root-nss`` fixes that. At least some versions of SuSE don't have a cafile but rather a capath directory. On Windows #17134 and #16487 are going to allow us to use Windows' cert store through crypt32.dll.
Here is a full list:
cert_paths = [
# Debian, Ubuntu, Arch, SuSE
# NetBSD (security/mozilla-rootcerts)
"/etc/ssl/certs/",
# Debian, Ubuntu, Arch: maintained by update-ca-certificates
"/etc/ssl/certs/ca-certificates.crt",
# Red Hat 5+, Fedora, Centos
"/etc/pki/tls/certs/ca-bundle.crt",
# Red Hat 4
"/usr/share/ssl/certs/ca-bundle.crt",
# FreeBSD (security/ca-root-nss package)
"/usr/local/share/certs/ca-root-nss.crt",
# FreeBSD (deprecated security/ca-root package, removed 2008)
"/usr/local/share/certs/ca-root.crt",
# FreeBSD (optional symlink)
# OpenBSD
"/etc/ssl/cert.pem",
# Mac OS X
"/System/Library/OpenSSL/certs/cert.pem",
]
I'd like to add the list to our ssl.py and add an API to check and load certs from that files, directories and other places (Windows). |
|
Date |
User |
Action |
Args |
2013-07-07 23:35:56 | christian.heimes | set | recipients:
+ christian.heimes, loewis, barry, jcea, pitrou, benjamin.peterson, eric.araujo, Arfrever, naif, icordasc, fweimer |
2013-07-07 23:35:55 | christian.heimes | set | messageid: <1373240155.89.0.67198978521.issue13655@psf.upfronthosting.co.za> |
2013-07-07 23:35:55 | christian.heimes | link | issue13655 messages |
2013-07-07 23:35:55 | christian.heimes | create | |
|