Mailinglist Archive: opensuse-bugs (3171 mails)

< Previous Next >
[Bug 761501] python-requests should use system certificates, not certifi bundle.

--- Comment #17 from Ludwig Nussel <lnussel@xxxxxxxx> 2012-05-21 10:50:52 CEST
(In reply to comment #12)
So let's assume we patch Python for openSUSE. If we make it load the store by
default, module authors will have a hard time distinguishing between our
patched version and other versions. There is no way to really check if it was
successful, especially since the OpenSSL call fails silently.

However, if we go with my original suggestion and patch to allow loading
directory stores, it will be obvious when it doesn't work.

There's nothing the application author needs to know. The situation
doesn't get worse. Right now if one doesn't pass a path for a CA
bundle two things might happen depending on how modules interact
with openssl:
a) no ssl checks at all, connection succeeds but is in fact insecure
b) ssl connections always fail due to lack of trust anchors

Neither is desirable. By patching the layer above openssl to always
load the default store if no bundle/dir was given explicitly
connections will be safe by default. There won't be a disadvantage
for applications. Connections that previously worked but were
insecure now correctly fail. Connections that didn't work before
because of missing trust store start to work.

I don't think the patch is inappropriate or too intrusive for
python2. The alternative of patching potentially dozends of modules
and applications to hardcode the CA path is worse. Esp since we
might decide to use a different default location or even format in
the future. Fedora for example has an extra location with
certificates in openssl's "TRUSTED CERTIFICATE" format which cannot
be used in /etc/ssl/certs for compatibility reasons.

Configure bugmail:
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >