New submission from Christian Heimes: For effective SSL server cert validation a bundle of trustworthy CA certs is required. Most system ship such a bundle but it's not always possible to access the bundle from Python / OpenSSL. Windows and Mac OS X come into my mind. wget and curl ship a copy of Mozilla's CA cert bundle.
The site http://curl.haxx.se/docs/caextract.html explains how to extract the CA certs in PEM format. I suggest that we ship the CA bundle with Python and use a lookup chain: - user defined path to a cacert directory or cacert.pem file - cacert directory or PEM file in the user's home directory: cacertdir = os.path.join(site.USER_SITE, os.pardir, "cacert") cacertfile = os.path.join(site.USER_SITE, os.pardir, "cacert.pem") - system's ca cert directory (/etc/ssl/certs on Linux) - CA cert bundle shipped with the Python installation. ---------- components: Library (Lib) messages: 181379 nosy: christian.heimes priority: high severity: normal status: open title: Include CA bundle and provide access to system's CA type: security versions: Python 2.6, Python 2.7, Python 3.2, Python 3.3, Python 3.4 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue17129> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
