> On 1 Jun 2017, at 11:18, Antoine Pitrou <solip...@pitrou.net> wrote: > > On Thu, 1 Jun 2017 20:05:48 +1000 > Chris Angelico <ros...@gmail.com> wrote: >> >> As stated in this thread, OS-provided certificates are not handled by >> that. For instance, if a local administrator distributes a self-signed >> cert for the intranet server, web browsers will use it, but pip will >> not. > > That's true. But: > 1) pip could grow a config entry to set an alternative or additional CA > path
No it can’t. Exporting the Windows or macOS security store to a big file of PEM is a security vulnerability because the macOS and Windows security stores expect to work with their own certificate chain building algorithms. OpenSSL builds chains differently, and disregards some metadata that Windows and macOS store, which means that cert validation will work differently than in the system store. This can lead to pip accepting a cert marked as “untrusted for SSL”, for example, which would be pretty bad. Cory _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
