Mailinglist Archive: opensuse-bugs (3171 mails)
| < Previous | Next > |
[Bug 761501] python-requests should use system certificates, not certifi bundle.
- From: bugzilla_noreply@xxxxxxxxxx
- Date: Wed, 9 May 2012 22:42:15 +0000
- Message-id: <20120509224215.7B01DCC7D4@soval.provo.novell.com>
https://bugzilla.novell.com/show_bug.cgi?id=761501
https://bugzilla.novell.com/show_bug.cgi?id=761501#c1
--- Comment #1 from James Oakley <jfunk@xxxxxxxxxxxxxx> 2012-05-09 22:42:14 UTC
---
Unfortunately, the requirement of a bundle file goes down to core Python:
http://docs.python.org/library/ssl.html
The SSL support in requests is implemented using ssl.wrap_socket(). It takes
the certs via the ca_certs parameter, which is expected to point to a file. I
checked to ensure this was the case:
Traceback (most recent call last):sock = ssl.wrap_socket(sock, cert_reqs=ssl.CERT_REQUIRED,
ca_certs="/etc/ssl/certs")
File "<stdin>", line 1, in <module>
File "/usr/lib64/python2.7/ssl.py", line 372, in wrap_socket
ciphers=ciphers)
File "/usr/lib64/python2.7/ssl.py", line 132, in __init__
ciphers)
ssl.SSLError: [Errno 0] _ssl.c:340: error:00000000:lib(0):func(0):reason(0)
It works fine with the bundle provided by python-certifi. which is currently
required by python-requests.
To make it work on a directory, the ssl module would need to be patched. Here
is the code in Python-2.7.3/Modules/_ssl.c line 335:
ret = SSL_CTX_load_verify_locations(self->ctx,
cacerts_file,
NULL);
The easiest way is probably to check to see if the cacerts_file parameter is a
directory, and call it with (self->ctx, NULL, cacerts_file) instead.
I can certainly submit a patch for that, if that's the way you want to go.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
| < Previous | Next > |