Ronald Oussoren added the comment: See also: issue 15740
A version of OpenSSL as included in some versions of OSX can be downloaded from <http://opensource.apple.com/tarballs/OpenSSL098/>, as mentioned in issue 15740 the versions as included in the most recent OS updates doesn't seem to be there. I've downloaded OpenSSL098-35.1 and that includes files ./src/crypto/x509/x509_vfy_apple.h and ./src/crypto/x509/x509_vfy_apple.c which implement the behavior I mentioned earlier: first try to verify using the default OpenSSL mechanism, then verify using the TrustEvaluationAgent. Now that I look at that code again: we can't extract that code and use it to patch upstream OpenSSL, the TrustEvaluationAgent framework is a private framework and hence off limits. It is probably possible to reimplement the same feature using public APIs, but that's new development and should be off-limits for a bugfix release (and isn't something that can be done very soon without risking to introduce new bugs in security-related code). Direct link to the source code I mentioned: http://opensource.apple.com/source/OpenSSL098/OpenSSL098-32/src/crypto/x509/x509_vfy_apple.c, http://opensource.apple.com/source/OpenSSL098/OpenSSL098-32/src/crypto/x509/x509_vfy_apple.h A blog about this feature by the one of the curl developers: http://daniel.haxx.se/blog/2011/11/05/apples-modified-ca-cert-handling-and-curl/ P.S. Apple doesn't exactly make it easy to find this information. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue17128> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
