Mailinglist Archive: opensuse-bugs (3171 mails)

< Previous Next >
[Bug 761501] python-requests should use system certificates, not certifi bundle.

https://bugzilla.novell.com/show_bug.cgi?id=761501

https://bugzilla.novell.com/show_bug.cgi?id=761501#c22


--- Comment #22 from Jan Matejek <jmatejek@xxxxxxxx> 2012-05-24 13:00:08 UTC ---
This doesn't matter one way or the other. The real problem is that certificate
validation is *turned off by default* - the cert_reqs argument is set to
ssl.CERT_NONE. Unless explicitly set to CERT_REQUIRED or CERT_OPTIONAL, the
cert store is completely ignored - and if it is set, ca_certs must also be set
to a correct path.

IOW, literally no packages are affected in any way by whether we load the
default cert store. Either they are insecure, and will continue to be insecure,
or they are already supplying their own cert bundles.


Only thing we can do for the insecure packages is change the default value of
cert_reqs argument, and only _then_ load the default cert store automatically.
But that is a bad idea because it is in direct contradiction with the official
docs. I mean, yes, this default is a bad default, but that doesn't mean we're
in any position to change this unilaterally.

--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >
References