Author christian.heimes
Recipients Arfrever, barry, benjamin.peterson, christian.heimes, eric.araujo, fweimer, icordasc, jcea, loewis, naif, pitrou
Date 2013-07-07.23:35:55
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
I think we can improve the situation with shipping our own CA certs. Almost every operating system or distribution comes with a set of CA certs.

I lots of Linux distributions and most BSD systems. All except FreeBSD install CA certs by default. A fresh FreeBSD systems doesn't have certs but ``pkg_add -r ca-root-nss`` fixes that. At least some versions of SuSE don't have a cafile but rather a capath directory. On Windows #17134 and #16487 are going to allow us to use Windows' cert store through crypt32.dll.

Here is a full list:

cert_paths = [
    # Debian, Ubuntu, Arch, SuSE
    # NetBSD (security/mozilla-rootcerts)
    # Debian, Ubuntu, Arch: maintained by update-ca-certificates
    # Red Hat 5+, Fedora, Centos
    # Red Hat 4
    # FreeBSD (security/ca-root-nss package)
    # FreeBSD (deprecated security/ca-root package, removed 2008)
    # FreeBSD (optional symlink)
    # OpenBSD
    # Mac OS X

I'd like to add the list to our and add an API to check and load certs from that files, directories and other places (Windows).
Date User Action Args
2013-07-07 23:35:56christian.heimessetrecipients: + christian.heimes, loewis, barry, jcea, pitrou, benjamin.peterson, eric.araujo, Arfrever, naif, icordasc, fweimer
2013-07-07 23:35:55christian.heimessetmessageid: <>
2013-07-07 23:35:55christian.heimeslinkissue13655 messages
2013-07-07 23:35:55christian.heimescreate