On 30.08.2014 12:55, Antoine Pitrou wrote: > On Sat, 30 Aug 2014 12:46:47 +0200 > "M.-A. Lemburg" <m...@egenix.com> wrote: >> The change is to the OpenSSL API, not the OpenSSL lib. By setting >> the variable you enable a few special calls to the config loader >> functions in OpenSSL when calling the initializer it: >> >> https://www.openssl.org/docs/crypto/OPENSSL_config.html > > Ah, ok. Do you have experience with openssl.cnf? Apparently, it is > meant for offline tools such as certificate generation, I am not sure > how it could impact certification validation.
I'm still exploring this: the OpenSSL documentation is, well, less than complete on these things, so searching mailing lists and reading source code appears to be the only reasonable way to figure out what is possible and what not. The openssl.cnf config file is indeed mostly used by the various openssl subcommands (e.g. req and ca), but it can also be used to configuring engines and my hope is that configuration of e.g. default certificate stores also becomes possible. One of the engines can tap into the Windows certificate store, for example. >>> That use case should be served with the SSL_CERT_DIR and SSL_CERT_FILE >>> env vars (or, better, by specific settings *inside* the application). >>> >>> I'm against multiplying environment variables, as it makes it more >>> difficult to assess the actual security of a setting. The danger of an >>> ill-secure setting is much more severe than with hash randomization. >> >> You have a point there. So how about just a python run-time switch >> and no env var ? > > Well, why not, but does it have a value over letting the code properly > configure their SSLContext? Yes, because when Python changes the default to be validating and more secure, application developers will do the same as they do now: simply use the defaults ;-) -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Aug 30 2014) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2014-08-27: Released eGenix PyRun 2.0.1 ... http://egenix.com/go62 2014-09-19: PyCon UK 2014, Coventry, UK ... 20 days to go 2014-09-27: PyDDF Sprint 2014 ... 28 days to go eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
