On 2017-01-30 21:50, Cory Benfield wrote: > > >> On 30 Jan 2017, at 13:53, David Cournapeau <courn...@gmail.com> wrote: >> >> Are there any official recommendations for downstream packagers beyond PEP >> 476 ? Is it "acceptable" for downstream packagers to patch python's default >> cert locations ? > > There *are* no default cert locations on Windows or macOS that can be > accessed by OpenSSL. > > I cannot stress this strongly enough: you cannot provide a platform-native > certificate validation logic for Python *and* use OpenSSL for certificate > validation on Windows or macOS. (macOS can technically do this when you link > against the system OpenSSL, at the cost of using a catastrophically insecure > version of OpenSSL.)
In theory it is possible for Python and OpenSSL, too. I looked into a custom X509_LOOKUP_METHOD to locate trust anchors by subject. Steve is trying an alternative approach in https://bugs.python.org/issue28747. It ain't pretty and we are not there yet, too. Native support for SChannel and SecureTransport has some benefits. It's too bad OpenSSL lacks support for PKCS#11 Trust Assertion Objects. We could use https://p11-glue.freedesktop.org/doc/pkcs11-trust-assertions/#pkcs11-objects under Linux and the PKCS#11 under Windows and macOS. Christian _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
