Opened 19 months ago

Closed 8 months ago

#6334 task closed wontfix (wontfix)

Consider distributing a CA bundle if figuring out platform certificates is too hard or takes too long

Reported by: glyph Owned by:
Priority: normal Milestone:
Component: core Keywords:
Cc: exarkun, itamar, glyph, hs@… Branch:
Author: Launchpad Bug:

Description

The right solution to the problem of establishing certificate authority trust is to rely upon existing platform-specific repositories of this information, with tools to manage them. However, this may be challenging to implement. If so, a sub-optimal interim solution might be to distribute our own ca-certificates bundle; this would still be better than doing nothing (although this is open to debate).

Change History (8)

comment:1 Changed 19 months ago by glyph

Some previous discussion occurred on a different ticket where some code for distributing the CA bundle was added to a branch.

comment:2 Changed 19 months ago by glyph

  • Cc exarkun itamar glyph added

comment:3 Changed 11 months ago by hynek

  • Cc hs@… added

I don’t think it’s really a that bad solution.

Mozilla has a decent CA collection at https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt which we could happily steal for each release. Due to the current crypto upheaval, I wouldn’t wonder if there’ll be more initiatives like that in foreseeable future.

Hell, we could even add a tool to update the cert data (like something along of “twistd-update-trustdb”) from a place we control so running older Twisted versions wouldn’t mean having an obsolete trust db. Although it apparently didn’t change for nearly a year.

Browsers bring their own trust stores for a pretty long time because OSs are rather bad at it. Not saying #5446 shouldn’t be tackled too, but I’d consider it a sub-optimal opt-in for policy reasons. People are starting to question their OS vendor’s choices too.

comment:4 Changed 11 months ago by glyph

Hynek, what you're saying makes sense, and maybe this is a sensible option for platforms without any such tools or existing certs. It's certainly better than what we have right now (nothing) and might be a reasonable fallback default even when the other things are implemented.

Please feel free to implement the tool you suggest as well, a way to easily update the trust DB from an upstream source would certainly mitigate the major concern about this approach.

(It's been 8 months and there's been no movement on any of these tickets, so if this gets into review first, it wins, as far as I'm concerned...)

comment:5 follow-up: Changed 8 months ago by dstufft

If I can chime in with some experience from people using pip's bundled SSL Certificates- We've had more than one user confused when something would work in their browser (presumably because their browser trusted their system certificates) and wouldn't work in pip. These were typically people behind MITM SSL proxies.

That being said, there are platforms where there are no default certificates and personally for pip a lot of the value of bundling was to provide a consistent experience amongst different platforms.

If Twisted *does* ship it's own certificates, make sure you use https://github.com/agl/extract-nss-root-certs to parse the mozilla certificates. The mozilla trustdb includes explicitly distrusted certificates as well as certificates trusted for other reasons and a simple parser doesn't properly handle that. Also make sure you're using the up to date location for the root certificates which mozilla changed but left the old one up just to trick people or something. That location is at https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

comment:6 in reply to: ↑ 5 Changed 8 months ago by glyph

Replying to dstufft:

If I can chime in with some experience from people using pip's bundled SSL Certificates

Thanks a lot for the perspective from experience, dstufft. We should really find a way to address this soon.

comment:7 Changed 8 months ago by hynek

After a few discussions on IRC I hereby propose to close this ticket as WONTFIX and offer a way to use e.g. certifi (or something similar, managed by us for all I care) as an external trust store from within #5446 (I’ll comment on that one soon).

comment:8 Changed 8 months ago by hynek

  • Resolution set to wontfix
  • Status changed from new to closed

Closing this now, it’s a matter of a function and https://pypi.python.org/pypi/certifi/ to achieve this effect.

Note: See TracTickets for help on using tickets.