[issue13655] Python SSL stack doesn't have a default CA Store

Benjamin Peterson added the comment: I don't think we're planning to distribute our own store of certs. -- resolution: -> works for me status: open -> closed ___ Python tracker

[issue13655] Python SSL stack doesn't have a default CA Store

Changes by koobs : -- nosy: +koobs ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mail

[issue13655] Python SSL stack doesn't have a default CA Store

Christian Heimes added the comment: All these paths are on directories that are supposed to be read-only for untrusted users. You can't protect yourself against a malicious admin anyway. For Python 3.4 the ssl module uses the cert path that are configured with OpenSSL. The paths and configurat

[issue13655] Python SSL stack doesn't have a default CA Store

Dima Tisnek added the comment: re: cert_paths = [...] This approach is rather problematic, there's no guarantee that a path trusted on one system is trusted on another. I saw this in setuptools branch, where it does: for path in cert_path: if os.path.exists(path) return path Let'

[issue13655] Python SSL stack doesn't have a default CA Store

Changes by Ludwig Nussel : -- nosy: +lnussel ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python

[issue13655] Python SSL stack doesn't have a default CA Store

Changes by Donald Stufft : -- nosy: +dstufft ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python

[issue13655] Python SSL stack doesn't have a default CA Store

Barry A. Warsaw added the comment: On Jul 08, 2013, at 11:56 AM, Antoine Pitrou wrote: >I don't think it's a good idea to maintain a list of hard-coded >paths in Python: it's not manageable, and it will always become >outdated. If there was a widely-respected standard (e.g. in FHS or >LSB), thin

[issue13655] Python SSL stack doesn't have a default CA Store

Antoine Pitrou added the comment: > I think we can improve the situation with shipping our own CA certs. > Almost every operating system or distribution comes with a set of CA > certs. Why would we ship our own CA certs if every OS comes with CA certs? > I lots of Linux distributions and most B

[issue13655] Python SSL stack doesn't have a default CA Store

Christian Heimes added the comment: I think we can improve the situation with shipping our own CA certs. Almost every operating system or distribution comes with a set of CA certs. I lots of Linux distributions and most BSD systems. All except FreeBSD install CA certs by default. A fresh FreeB

[issue13655] Python SSL stack doesn't have a default CA Store

Changes by Barry A. Warsaw : -- nosy: +barry ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python

[issue13655] Python SSL stack doesn't have a default CA Store

Changes by Arfrever Frehtes Taifersar Arahesis : -- nosy: +Arfrever ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscri

[issue13655] Python SSL stack doesn't have a default CA Store

Changes by Florian Weimer : -- nosy: +fweimer ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.pytho

[issue13655] Python SSL stack doesn't have a default CA Store

Antoine Pitrou added the comment: > Éric's suggestion is also implemented in python-requests if I remember > correctly. It allows for user-specified PEM files and tries to find the > operating system bundle. This would be a wonderful inclusion in the > standard library. Aren't load_verify_loca

[issue13655] Python SSL stack doesn't have a default CA Store

Ian Cordasco added the comment: Éric's suggestion is also implemented in python-requests if I remember correctly. It allows for user-specified PEM files and tries to find the operating system bundle. This would be a wonderful inclusion in the standard library. -- nosy: +icordasc

[issue13655] Python SSL stack doesn't have a default CA Store

Éric Araujo added the comment: Copy of a message by Christian Heimes on a duplicate report: For effective SSL server cert validation a bundle of trustworthy CA certs is required. Most system ship such a bundle but it's not always possible to access the bundle from Python / OpenSSL. Windows a

[issue13655] Python SSL stack doesn't have a default CA Store

Éric Araujo added the comment: I propose to change the scope of this request to: ssl module should provide a way to access the OS CA bundle. -- versions: +Python 3.4 -Python 3.3 ___ Python tracker

[issue13655] Python SSL stack doesn't have a default CA Store

Changes by Éric Araujo : -- nosy: +pitrou ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.or

[issue13655] Python SSL stack doesn't have a default CA Store

Changes by Éric Araujo : -- nosy: +eric.araujo, loewis versions: -Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.4 ___ Python tracker ___ _

[issue13655] Python SSL stack doesn't have a default CA Store

Benjamin Peterson added the comment: I'm not sure Python should be in the business of distributing CA certificates. I think it's better left to the application or Linux distribution. -- nosy: +benjamin.peterson ___ Python tracker

[issue13655] Python SSL stack doesn't have a default CA Store

Changes by Jesús Cea Avión : -- nosy: +jcea ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.

[issue13655] Python SSL stack doesn't have a default CA Store

naif added the comment: Mozilla CA are available on: https://www.mozilla.org/projects/security/certs/ The warranty and security process of Mozilla handling of SSL CA root certs is described on: https://wiki.mozilla.org/CA I think that Python language could reasonably base it's default root

[issue13655] Python SSL stack doesn't have a default CA Store

Changes by naif : -- type: -> security ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/

[issue13655] Python SSL stack doesn't have a default CA Store

New submission from naif : For the certificate store: Can we eventually agree to bind a default CA-store to a Mozilla verified one? Mozilla in handling Firefox does a great job in keeping CA-store up-to-date. Integrating default mozilla CA-store with Python builds could be a nice way, it's jus