Message 236520 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Lukasa
Recipients	Lukasa, alex, christian.heimes, demian.brecht, dstufft, giampaolo.rodola, icordasc, janssen, lac, nagle, pitrou
Date	2015-02-24.17:15:40
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1424798140.75.0.615077451413.issue23476@psf.upfronthosting.co.za>
In-reply-to

Content
The problem specifically is that OpenSSL only uses a root in the trust store as an anchor. That means any certificate that is signed by another certificate will not terminate the chain of trust. Browsers do better here, by trusting the entirety of the trust store, regardless of whether or not it's a root certificate. Donald is correct: this is not really Python's fault, it's OpenSSL's.

The problem specifically is that OpenSSL only uses a *root* in the trust store as an anchor. That means any certificate that is signed by another certificate will not terminate the chain of trust. Browsers do better here, by trusting the entirety of the trust store, regardless of whether or not it's a root certificate.

Donald is correct: this is not really Python's fault, it's OpenSSL's.

History
Date	User	Action	Args
2015-02-24 17:15:40	Lukasa	set	recipients: + Lukasa, janssen, nagle, pitrou, giampaolo.rodola, christian.heimes, alex, icordasc, dstufft, demian.brecht, lac
2015-02-24 17:15:40	Lukasa	set	messageid: <1424798140.75.0.615077451413.issue23476@psf.upfronthosting.co.za>
2015-02-24 17:15:40	Lukasa	link	issue23476 messages
2015-02-24 17:15:40	Lukasa	create