reassign 805646 openssl thanks Dear openssl maintainers,
Daniel Pocock filed this bug for the package nagios-check-xmppng that I maintain. After some analysis I found out that the paths returned from the Python interpreter don't match the default Debian certificate paths (/etc/ssl/certs and /etc/ssl/certs/ca-certificates.crt) where the ca-certificates package installs the default trusted certificates. I had a discussion in #debian-python whether this is an issue with the Python interpreter but the Python maintainer Matthias Klose told me that Python just uses openssl internal functions [1], [2] only and does no magic path calculation or certificate loading by itself. [1] https://hg.python.org/cpython/file/v3.5.0/Modules/_ssl.c#l3197 [2] https://hg.python.org/cpython/file/v3.5.0/Modules/_ssl.c#l3950 According to my tests documented earlier in this bug report the returned paths are /usr/lib/ssl/certs and /usr/lib/ssl/cert.pem. The first exists and is a directory but the second does not exist. I expected that given the correct /usr/lib/ssl/certs path the function SSL_CTX_set_default_verify_paths should successfully load the default trusted certificates but it does not. One more test today revealed that symlinking /etc/ssl/certs/ca-certificates.crt to /usr/lib/ssl/cert.pem fixes the issue: >>> import ssl >>> context = ssl.create_default_context() >>> context.load_default_certs() >>> context.cert_store_stats() {'crl': 0, 'x509_ca': 177, 'x509': 177} I don't know whether this will have negative side effects but from my point of view it would be nice if the openssl package would do one of the following to properly solve this issue: 1) properly load certificates from /etc/ssl/certs when SSL_CTX_set_default_verify_paths is called 2) change the default paths to /etc/ssl/certs and /etc/ssl/certs/ca-certificates.crt instead of /usr/lib/ssl/certs and /usr/lib/ssl/cert.pem 3) provide a symlink from /usr/lib/ssl/cert.pem to /etc/ssl/certs/ca-certificates.crt Best regards Jan Dittberner -- Jan Dittberner - Debian Developer GPG-key: 4096R/558FB8DD 2009-05-10 B2FF 1D95 CE8F 7A22 DF4C F09B A73E 0055 558F B8DD https://portfolio.debian.net/ - https://people.debian.org/~jandd/
signature.asc
Description: PGP signature