Antoine Pitrou <[email protected]> added the comment: > What about a patch to handle a directory store passed through the > ca_certs parameter? As it stands now, it's impossible to load the > distribution-supplied cert store on openSUSE.
I'm afraid it would still be a new feature, unsuitable for a bugfix release. Other distros simply have both a directory-based cert store and a cert bundle. In Mageia I see both /etc/pki/tls/rootcerts/ (a directory-based cert store) and /etc/pki/tls/certs/ca-bundle.crt (a single file cert bundle). (yes, I hope they're synchronized :)) Generally, the only reason we would add a new feature in a bugfix release is if it's necessary to fix a security issue (such as the hash randomization feature). Here it's not necessary: you could simply ship a cert bundle in addition to the cert store. I suppose its generation is easily automated with a script. (and, yes, the ssl module has long lacked important features; its history is a bit bumpy) Again, for 3.3, a patch allowing urllib.request to call load_default_verify_locations() could be a good idea. ---------- _______________________________________ Python tracker <[email protected]> <http://bugs.python.org/issue14780> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
