On May 6, 2014, at 4:47 PM, Victor Stinner <[email protected]> wrote:
> 2014-05-07 0:55 GMT+02:00 Imran Geriskovan <[email protected]>: >> Interestingly Firefox (Iceweasel) does not complain when opening >> https://static.licdn.com >> with its usual "This Connection is Untrusted" page. >> Is it a A MITM setup which is detected by openssl/asyncio but not Firefox? > > I'm not sure that Firefox uses the same list of CA than asyncio. > Firefox may trust more CA. Trusting more or fewer CAs isn't the issue; it's just a different source. asyncio is getting its list of CAs from OpenSSL's default verify locations, which means (on Debian) /etc/ssl/certs. Firefox has its own separate trust store which can be different. They're basically supposed to be the same - just look at the description of the package on <https://launchpad.net/ca-certificates>: "certificate authorities used by the Debian infrastructure and those shipped with Mozilla's browsers". For what it's worth, static.licdn.com has really bad security; you should count your blessings that you can't connect to it :). <https://www.ssllabs.com/ssltest/analyze.html?d=static.licdn.com>. Maybe your OpenSSL is mad about one of those things? At any rate, if other OpenSSL programs on the same computer are having the same results, this isn't an asyncio issue per se, and you should probably find an OpenSSL or Debian mailing list to ask :-). Good luck, -glyph
