> On 16 Nov 2015, at 11:54, Sean Dague <s...@dague.net> wrote: > That sounds pretty reasonable to me. I definitely support the idea that > we should be using system CA by default, even if that means overriding > requests in our tools.
Setting REQUESTS_CA_BUNDLE is absolutely the way to go about this. In requests 2.9.0 we will also support the case that REQUESTS_CA_BUNDLE points to a directory of certificates, not a single certificate file, so this should cover all Linux distributions methods of distributing OpenSSL-compatible certificates. If OpenStack wants to support using Windows and OS X built-in certificate stores, that's harder. This is because both systems do not use PEM-file based certificate distribution, which means OpenSSL can’t read them. Cory
signature.asc
Description: Message signed with OpenPGP using GPGMail
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
