Donald Stufft added the comment: > Now, I knew how to fix this, but the solution was not > an obvious one. I had to use truss to figure out where OpenSSL > was looking for certificates and the added the Mozilla cert > bundle from our egenix-pyopenssl package to make things work > again.
You also could have passed the --cert flag to pip to tel pip specifically where to look for them (also available via environment variable and config file) though I'm guessing it wasn't actually pip itself that had a problem because we ship our own CA file and we don't actually rely on the stdlib to have validated TLS. Unless you were using an old pip I guess. > Again: Please let the users decide what level of security they > want to apply. We can point users to solutions, but in the end > have to respect their own decisions. Note that staying with > Python 2.7.8 is a much worse approach than disabling the checks. Sure, and nobody has ever advocated to make it impossible to disable the TLS verification. For me it's entirely about the scope of the setting. I don't think that a Python wide setting is the right scope. That's a knob that has an extremely large scope of which end users are most likely not going to be completely aware of the total impact of adjusting that knob. This isn't even something that they could reasonably audit their system with _today_ and then say "OK I've looked at everything that uses Python and I'm happy for it not to verify" because if they every install anything else that uses Python (whether they know it uses Python or not) they have to re-evaluate that decision they made all over again, but with no indicator that they need to do that. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue23857> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com