Author christian.heimes
Recipients Arfrever, barry, benjamin.peterson, christian.heimes, eric.araujo, fweimer, icordasc, jcea, loewis, naif, pitrou
Date 2013-07-07.23:35:55
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1373240155.89.0.67198978521.issue13655@psf.upfronthosting.co.za>
In-reply-to
Content
I think we can improve the situation with shipping our own CA certs. Almost every operating system or distribution comes with a set of CA certs.

I lots of Linux distributions and most BSD systems. All except FreeBSD install CA certs by default. A fresh FreeBSD systems doesn't have certs but ``pkg_add -r ca-root-nss`` fixes that. At least some versions of SuSE don't have a cafile but rather a capath directory. On Windows #17134 and #16487 are going to allow us to use Windows' cert store through crypt32.dll.

Here is a full list:

cert_paths = [
    # Debian, Ubuntu, Arch, SuSE
    # NetBSD (security/mozilla-rootcerts)
    "/etc/ssl/certs/",
    # Debian, Ubuntu, Arch: maintained by update-ca-certificates
    "/etc/ssl/certs/ca-certificates.crt",
    # Red Hat 5+, Fedora, Centos
    "/etc/pki/tls/certs/ca-bundle.crt",
    # Red Hat 4
    "/usr/share/ssl/certs/ca-bundle.crt",
    # FreeBSD (security/ca-root-nss package)
    "/usr/local/share/certs/ca-root-nss.crt",
    # FreeBSD (deprecated security/ca-root package, removed 2008)
    "/usr/local/share/certs/ca-root.crt",
    # FreeBSD (optional symlink)
    # OpenBSD
    "/etc/ssl/cert.pem",
    # Mac OS X
    "/System/Library/OpenSSL/certs/cert.pem",
    ]

I'd like to add the list to our ssl.py and add an API to check and load certs from that files, directories and other places (Windows).
History
Date User Action Args
2013-07-07 23:35:56christian.heimessetrecipients: + christian.heimes, loewis, barry, jcea, pitrou, benjamin.peterson, eric.araujo, Arfrever, naif, icordasc, fweimer
2013-07-07 23:35:55christian.heimessetmessageid: <1373240155.89.0.67198978521.issue13655@psf.upfronthosting.co.za>
2013-07-07 23:35:55christian.heimeslinkissue13655 messages
2013-07-07 23:35:55christian.heimescreate