Hi there,
This is hopefully the right mailing for this question. We are shipping our
own python interpreter in our product, and following some discussions on
https://mail.python.org/pipermail/python-dev/2017-January/147282.html, we
understand shipping the certificate from certifi in our python is the best
approach on Linux/OS X.
Unfortunately, ssl hardcodes at compilation time the default location of
certificate. I could workaround this at the python level by patching
ssl.SSLContext.load_default_certs to look as follows:
def load_default_certs(...):
....
if sys.platform == "win32":
...
else:
prefix = os.path.normpath(sys.prefix)
default_cert = os.path.join(prefix, "ssl", "cert.pem")
if os.path.isfile(default_cert):
self.load_verify_locations(default_cert)
else:
self.set_default_verify_paths()
While this seems to work, my lack of knowledge in all things related to
security and ssl in particular makes me worry to patch anything in there.
Is this a sane approach ? If not, is there a better way ?
Thank you,
David
_______________________________________________
Security-SIG mailing list
[email protected]
https://mail.python.org/mailman/listinfo/security-sig
