Christian Heimes added the comment:
I think we can improve the situation with shipping our own CA certs. Almost
every operating system or distribution comes with a set of CA certs.
I lots of Linux distributions and most BSD systems. All except FreeBSD install
CA certs by default. A fresh FreeBSD systems doesn't have certs but ``pkg_add
-r ca-root-nss`` fixes that. At least some versions of SuSE don't have a cafile
but rather a capath directory. On Windows #17134 and #16487 are going to allow
us to use Windows' cert store through crypt32.dll.
Here is a full list:
cert_paths = [
# Debian, Ubuntu, Arch, SuSE
# NetBSD (security/mozilla-rootcerts)
"/etc/ssl/certs/",
# Debian, Ubuntu, Arch: maintained by update-ca-certificates
"/etc/ssl/certs/ca-certificates.crt",
# Red Hat 5+, Fedora, Centos
"/etc/pki/tls/certs/ca-bundle.crt",
# Red Hat 4
"/usr/share/ssl/certs/ca-bundle.crt",
# FreeBSD (security/ca-root-nss package)
"/usr/local/share/certs/ca-root-nss.crt",
# FreeBSD (deprecated security/ca-root package, removed 2008)
"/usr/local/share/certs/ca-root.crt",
# FreeBSD (optional symlink)
# OpenBSD
"/etc/ssl/cert.pem",
# Mac OS X
"/System/Library/OpenSSL/certs/cert.pem",
]
I'd like to add the list to our ssl.py and add an API to check and load certs
from that files, directories and other places (Windows).
----------
nosy: +christian.heimes
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue13655>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
