Re: [Python-Dev] SSL certificates recommendations for downstream python packagers

> On 31 Jan 2017, at 18:26, Steve Dower wrote: > > In short, I want to allow Python code to set OpenSSL's certificate validation > callback. Basically, given a raw certificate, return True/False based on > whether it should be trusted. I then have separate code (yet to be published) > impleme

Re: [Python-Dev] SSL certificates recommendations for downstream python packagers

On 30Jan2017 1310, Christian Heimes wrote: On 2017-01-30 21:50, Cory Benfield wrote: On 30 Jan 2017, at 13:53, David Cournapeau wrote: Are there any official recommendations for downstream packagers beyond PEP 476 ? Is it "acceptable" for downstream packagers to patch python's default cert

Re: [Python-Dev] SSL certificates recommendations for downstream python packagers

On 31 January 2017 at 14:54, Cory Benfield wrote: > > So C# applications are Windows-native safe on Windows, and are a crapshoot > elsewhere. For Java vs Python, I’d say we’re slightly ahead right now. That's precisely the sort of answer I was after. Many thanks. The additional detail is interes

Re: [Python-Dev] SSL certificates recommendations for downstream python packagers

> On 31 Jan 2017, at 09:56, Paul Moore wrote: > > On 31 January 2017 at 09:19, Cory Benfield wrote: >> >> In general, it is unwise to mix trust stores. If you want to use your OS’s >> trust store, the best approach is to use the OS’s TLS stack as well. At >> least that way when a user says “It

Re: [Python-Dev] SSL certificates recommendations for downstream python packagers

On Tue, Jan 31, 2017 at 9:19 AM, Cory Benfield wrote: > > On 30 Jan 2017, at 21:00, David Cournapeau wrote: > > > > On Mon, Jan 30, 2017 at 8:50 PM, Cory Benfield wrote: > >> >> >> > On 30 Jan 2017, at 13:53, David Cournapeau wrote: >> > >> > Are there any official recommendations for downstre

Re: [Python-Dev] SSL certificates recommendations for downstream python packagers

On 31 January 2017 at 09:19, Cory Benfield wrote: > > In general, it is unwise to mix trust stores. If you want to use your OS’s > trust store, the best approach is to use the OS’s TLS stack as well. At > least that way when a user says “It works in my browser”, you know it should > work for you t

Re: [Python-Dev] SSL certificates recommendations for downstream python packagers

> On 31 Jan 2017, at 09:33, Christian Heimes wrote: > > One small correction, it is possible to export some of the trust > settings to a TRUSTED CERTIFICATE and import them into OpenSSL. It works > correctly in 1.0.1 and since 1.0.2e or f. Trust settings are stored in > X509_AUX extension after

Re: [Python-Dev] SSL certificates recommendations for downstream python packagers

On 2017-01-31 10:19, Cory Benfield wrote: > >> On 30 Jan 2017, at 21:00, David Cournapeau > > wrote: >> >> >> >> On Mon, Jan 30, 2017 at 8:50 PM, Cory Benfield > > wrote: >> >> >> >> > On 30 Jan 2017, at 13:53, David Cournapeau >

Re: [Python-Dev] SSL certificates recommendations for downstream python packagers

> On 30 Jan 2017, at 21:00, David Cournapeau wrote: > > > > On Mon, Jan 30, 2017 at 8:50 PM, Cory Benfield > wrote: > > > > On 30 Jan 2017, at 13:53, David Cournapeau > > wrote: > > > > Are there any official recommendations for downstre

Re: [Python-Dev] SSL certificates recommendations for downstream python packagers

On 2017-01-30 22:19, David Cournapeau wrote: > Hm. Is this documented anywhere ? We have customers needing > "private/custom" certificates, and I am unsure where to look for. For full control it is advised to use a custom SSLContext that only loads the internal CA. https://docs.python.org/3/librar

Re: [Python-Dev] SSL certificates recommendations for downstream python packagers

On Mon, Jan 30, 2017 at 9:14 PM, Christian Heimes wrote: > On 2017-01-30 22:00, David Cournapeau wrote: > > > > > > On Mon, Jan 30, 2017 at 8:50 PM, Cory Benfield > > wrote: > > > > > > > > > On 30 Jan 2017, at 13:53, David Cournapeau > w

Re: [Python-Dev] SSL certificates recommendations for downstream python packagers

On 2017-01-30 22:00, David Cournapeau wrote: > > > On Mon, Jan 30, 2017 at 8:50 PM, Cory Benfield > wrote: > > > > > On 30 Jan 2017, at 13:53, David Cournapeau > wrote: > > > > Are there any official recommendations for downstr

Re: [Python-Dev] SSL certificates recommendations for downstream python packagers

On 2017-01-30 21:50, Cory Benfield wrote: > > >> On 30 Jan 2017, at 13:53, David Cournapeau wrote: >> >> Are there any official recommendations for downstream packagers beyond PEP >> 476 ? Is it "acceptable" for downstream packagers to patch python's default >> cert locations ? > > There *are

Re: [Python-Dev] SSL certificates recommendations for downstream python packagers

On Mon, Jan 30, 2017 at 8:50 PM, Cory Benfield wrote: > > > > On 30 Jan 2017, at 13:53, David Cournapeau wrote: > > > > Are there any official recommendations for downstream packagers beyond > PEP 476 ? Is it "acceptable" for downstream packagers to patch python's > default cert locations ? > >

Re: [Python-Dev] SSL certificates recommendations for downstream python packagers

On Mon, Jan 30, 2017 at 8:50 PM, Cory Benfield wrote: > > > > On 30 Jan 2017, at 13:53, David Cournapeau wrote: > > > > Are there any official recommendations for downstream packagers beyond > PEP 476 ? Is it "acceptable" for downstream packagers to patch python's > default cert locations ? > >

Re: [Python-Dev] SSL certificates recommendations for downstream python packagers

> On 30 Jan 2017, at 13:53, David Cournapeau wrote: > > Are there any official recommendations for downstream packagers beyond PEP > 476 ? Is it "acceptable" for downstream packagers to patch python's default > cert locations ? There *are* no default cert locations on Windows or macOS that c

Re: [Python-Dev] SSL certificates recommendations for downstream python packagers

On 2017-01-30 14:53, David Cournapeau wrote: > Hi, > > I am managing the team responsible for providing python packaging at > Enthought, and I would like to make sure we are providing a good (and > secure) out of the box experience for SSL. > > My understanding is that PEP 476 is the latest PEP t

[Python-Dev] SSL certificates recommendations for downstream python packagers

Hi, I am managing the team responsible for providing python packaging at Enthought, and I would like to make sure we are providing a good (and secure) out of the box experience for SSL. My understanding is that PEP 476 is the latest PEP that concerns this issue, and that PEP recommends using the