Opened 4 years ago

Last modified 5 months ago

#6934 enhancement new

Make use of certifi package for trust roots if it's installed and other sources of platform trust roots are not available

Reported by: Glyph Owned by:
Priority: normal Milestone:
Component: core Keywords:
Cc: Hynek Schlawack Branch:
Author:

Change History (5)

comment:1 Changed 4 years ago by Glyph

Description: modified (diff)

comment:2 Changed 4 years ago by Hynek Schlawack

Cc: Hynek Schlawack added

comment:3 Changed 4 years ago by Glyph

One potential heuristic would be to try to verify some known good / known bad certs and see what results they give us. I filed a pyOpenSSL issue to this effect.

comment:4 Changed 5 months ago by Kali

I'd like to contribute a patch for fixing this. there is some code on this gist with a working heuristic to detect unusable platformTrust, and import the certificates from the certifi bundle.

Last edited 5 months ago by Kali (previous) (diff)

comment:5 Changed 5 months ago by Kali

actually I'm thinking now that simply depending on certifi might be a valid solution.

the debian package for certifi just returns the system certificates:

def where():
    return "/etc/ssl/certs/ca-certificates.crt"

which (I guess) it's the same source for the trust roots that pyOpenSSL is using?

I don't know about other distributions, but then it would be a problem of the distributions to patch certifi to point to the distribution specific path.

Last edited 5 months ago by Kali (previous) (diff)
Note: See TracTickets for help on using tickets.