Opened 9 years ago

Closed 8 years ago

#6334 task closed wontfix (wontfix)

Consider distributing a CA bundle if figuring out platform certificates is too hard or takes too long

Reported by: Glyph Owned by:
Priority: normal Milestone:
Component: core Keywords:
Cc: Jean-Paul Calderone, Itamar Turner-Trauring, Glyph, Hynek Schlawack Branch:


The right solution to the problem of establishing certificate authority trust is to rely upon existing platform-specific repositories of this information, with tools to manage them. However, this may be challenging to implement. If so, a sub-optimal interim solution might be to distribute our own ca-certificates bundle; this would still be better than doing nothing (although this is open to debate).

Change History (8)

comment:1 Changed 9 years ago by Glyph

Some previous discussion occurred on a different ticket where some code for distributing the CA bundle was added to a branch.

comment:2 Changed 9 years ago by Glyph

Cc: Jean-Paul Calderone Itamar Turner-Trauring Glyph added

comment:3 Changed 8 years ago by Hynek Schlawack

Cc: Hynek Schlawack added

I don’t think it’s really a that bad solution.

Mozilla has a decent CA collection at which we could happily steal for each release. Due to the current crypto upheaval, I wouldn’t wonder if there’ll be more initiatives like that in foreseeable future.

Hell, we could even add a tool to update the cert data (like something along of “twistd-update-trustdb”) from a place we control so running older Twisted versions wouldn’t mean having an obsolete trust db. Although it apparently didn’t change for nearly a year.

Browsers bring their own trust stores for a pretty long time because OSs are rather bad at it. Not saying #5446 shouldn’t be tackled too, but I’d consider it a sub-optimal opt-in for policy reasons. People are starting to question their OS vendor’s choices too.

comment:4 Changed 8 years ago by Glyph

Hynek, what you're saying makes sense, and maybe this is a sensible option for platforms without any such tools or existing certs. It's certainly better than what we have right now (nothing) and might be a reasonable fallback default even when the other things are implemented.

Please feel free to implement the tool you suggest as well, a way to easily update the trust DB from an upstream source would certainly mitigate the major concern about this approach.

(It's been 8 months and there's been no movement on any of these tickets, so if this gets into review first, it wins, as far as I'm concerned...)

comment:5 Changed 8 years ago by dstufft

If I can chime in with some experience from people using pip's bundled SSL Certificates- We've had more than one user confused when something would work in their browser (presumably because their browser trusted their system certificates) and wouldn't work in pip. These were typically people behind MITM SSL proxies.

That being said, there are platforms where there are no default certificates and personally for pip a lot of the value of bundling was to provide a consistent experience amongst different platforms.

If Twisted *does* ship it's own certificates, make sure you use to parse the mozilla certificates. The mozilla trustdb includes explicitly distrusted certificates as well as certificates trusted for other reasons and a simple parser doesn't properly handle that. Also make sure you're using the up to date location for the root certificates which mozilla changed but left the old one up just to trick people or something. That location is at

comment:6 in reply to:  5 Changed 8 years ago by Glyph

Replying to dstufft:

If I can chime in with some experience from people using pip's bundled SSL Certificates

Thanks a lot for the perspective from experience, dstufft. We should really find a way to address this soon.

comment:7 Changed 8 years ago by Hynek Schlawack

After a few discussions on IRC I hereby propose to close this ticket as WONTFIX and offer a way to use e.g. certifi (or something similar, managed by us for all I care) as an external trust store from within #5446 (I’ll comment on that one soon).

comment:8 Changed 8 years ago by Hynek Schlawack

Resolution: wontfix
Status: newclosed

Closing this now, it’s a matter of a function and to achieve this effect.

Note: See TracTickets for help on using tickets.