Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More CA paths #1

Open
tiran opened this issue Sep 26, 2013 · 6 comments
Open

More CA paths #1

tiran opened this issue Sep 26, 2013 · 6 comments

Comments

@tiran
Copy link

tiran commented Sep 26, 2013

Hi,

you can find more CA paths in my PEP draft at https://bitbucket.org/tiran/peps/src/5ac9cd851f24554621be1c475a1b8ab2a313208f/pep-9999.txt?at=default#cl-269

You should favor CApath over CAfile if the Python version supports it. A CApath is faster becaues it loads CAs on demand.

Christian
@dhellmann
Copy link
Contributor

Thanks for the pointer to the other paths!

I'm not sure what you mean about path vs. file, though. Does httplib2 work if a directory name is used?

@tiran
Copy link
Author

tiran commented Sep 26, 2013

Oh sorry, I don't know if httplib2 actually supports the feature. Since Python 3.2 the CA files can be loaded from a directory, too. The files in the directory must have a specific naming scheme so OpenSSL can map the cert's hash to a file name.

http://docs.python.org/3.2/library/ssl.html#ssl.SSLContext.load_verify_locations
http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html

@dhellmann
Copy link
Contributor

OK, I'll verify that httplib2 supports that before including the directories.

@jayvdb
Copy link

jayvdb commented Jun 25, 2014

Fedora Core 19 has the certs in /etc/ssl/certs/ca-bundle.crt

@AdamWill
Copy link

@jayvdb Not quite.

https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/

Distros and OSes all have various (and usually more than one) locations for trust stores. The most-canonical location for RHEL, Fedora and Mageia (and derivatives and probably various smaller distros) is /etc/pki/tls/certs/ca-bundle.crt (as a bundle file). (On Fedora, /etc/ssl/certs is a compatibility symlink, though not a very good one.) Arch uses Fedora's system. Debian (and derivatives, inc. Ubuntu) provides /etc/ssl/certs as a hashed directory and /etc/ssl/certs/ca-certificates.crt as a bundle file. OpenSUSE provides /etc/ssl/certs as a hashed directory for compatibility purposes, but not /etc/ssl/certs/ca-certificates.crt. It has a bundle file at /var/lib/ca-certificates/ca-bundle.pem, but discourages use of any particular location and encourages use of OpenSSL's default (see below) - https://github.com/openSUSE/ca-certificates . OS X has it in /System/Library/OpenSSL, according to the references I could Google, anyway. For Windows builds, your guess is as good as mine.

Really if you're trying to use the 'system' location you should not be specifying a location at all but letting OpenSSL handle it; see e.g. https://docs.python.org/2/library/ssl.html#ssl.SSLContext.load_default_certs . But as I read it, httplib2's design does not really allow for this, it is expecting the 'locater plugin' to provide a filesystem location.

@joemiller
Copy link

I would propose adopting the approach that go's stdlib does - https://golang.org/src/crypto/x509/root_linux.go

@Hornswoggles Hornswoggles mentioned this issue Jun 18, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jayvdb @dhellmann @joemiller @tiran @AdamWill