This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author pitrou
Recipients Lukasa, alex, christian.heimes, demian.brecht, dstufft, giampaolo.rodola, icordasc, janssen, lac, nagle, pitrou
Date 2015-02-24.16:22:57
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1424794977.54.0.729580281908.issue23476@psf.upfronthosting.co.za>
In-reply-to
Content
> and it is not reproducible using openssl s_client

I have determined that s_client is buggy. It will always load the system certs *if and only if* you also pass it a valid custom CA cert (which is the reverse of what's expected).

This is where it happens (in apps/s_client.c):

    if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
        (!SSL_CTX_set_default_verify_paths(ctx))) {
        /*
         * BIO_printf(bio_err,"error setting default verify locations\n");
         */
        ERR_print_errors(bio_err);
        /* goto end; */
    }

This is why I forced SSL_CERT_* to empty locations in the examples above, so that only the custom CA bundle is used.
History
Date User Action Args
2015-02-24 16:22:57pitrousetrecipients: + pitrou, janssen, nagle, giampaolo.rodola, christian.heimes, alex, icordasc, dstufft, demian.brecht, Lukasa, lac
2015-02-24 16:22:57pitrousetmessageid: <1424794977.54.0.729580281908.issue23476@psf.upfronthosting.co.za>
2015-02-24 16:22:57pitroulinkissue23476 messages
2015-02-24 16:22:57pitroucreate