On 2017-01-30 21:50, Cory Benfield wrote: > > >> On 30 Jan 2017, at 13:53, David Cournapeau <cournape at gmail.com> wrote: >> >> Are there any official recommendations for downstream packagers beyond PEP 476 ? Is it "acceptable" for downstream packagers to patch python's default cert locations ? > > There *are* no default cert locations on Windows or macOS that can be accessed by OpenSSL. > > I cannot stress this strongly enough: you cannot provide a platform-native certificate validation logic for Python *and* use OpenSSL for certificate validation on Windows or macOS. (macOS can technically do this when you link against the system OpenSSL, at the cost of using a catastrophically insecure version of OpenSSL.) In theory it is possible for Python and OpenSSL, too. I looked into a custom X509_LOOKUP_METHOD to locate trust anchors by subject. Steve is trying an alternative approach in https://bugs.python.org/issue28747. It ain't pretty and we are not there yet, too. Native support for SChannel and SecureTransport has some benefits. It's too bad OpenSSL lacks support for PKCS#11 Trust Assertion Objects. We could use https://p11-glue.freedesktop.org/doc/pkcs11-trust-assertions/#pkcs11-objects under Linux and the PKCS#11 under Windows and macOS. Christian
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4