Antoine Pitrou added the comment:
> and it is not reproducible using openssl s_client
I have determined that s_client is buggy. It will always load the system certs
*if and only if* you also pass it a valid custom CA cert (which is the reverse
of what's expected).
This is where it happens (in apps/s_client.c):
if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(ctx))) {
/*
* BIO_printf(bio_err,"error setting default verify locations\n");
*/
ERR_print_errors(bio_err);
/* goto end; */
}
This is why I forced SSL_CERT_* to empty locations in the examples above, so
that only the custom CA bundle is used.
----------
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue23476>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
