On 31.08.2014 19:29, Antoine Pitrou wrote: > You certainly shouldn't do so. If an application has special needs that > require trusting a self-signed certificate, then it should expose a > configuration setting to let users specify the cert's location. Stuffing > self-signed certs into the system trust store is really a measure of > last resort.
Correct! I merely wanted to state that OpenSSL can verify a self-signed certificate easily. The certificate 'just' have to be added to the SSLContext's store of trusted root certs. Somebody has to figure out how Python can accomplish the task. > There's another case which isn't solved by this, though, which is when a > cert is invalid. The common situation being that it has expired > (renewing certs is a PITA and therefore expired certs are more common > than it sounds they should be). In this case, there is no way to > whitelist it: you have to disable certificate checking altogether. This > can be exposed by the application as configuration option if necessary, > as well. It's possible to ignore errors with a verify callback. OpenSSL's wiki has an example for the expired certs http://wiki.openssl.org/index.php/Manual:X509_STORE_CTX_set_verify_cb%283%29#EXAMPLES Christian _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com