https://bugzilla.novell.com/show_bug.cgi?id=761501
https://bugzilla.novell.com/show_bug.cgi?id=761501#c21
--- Comment #21 from Ludwig Nussel
(In reply to comment #19)
Just patch the code away that does a fallback to some bundle. That's better than patchin in yet another path.
Except that won't work on other distros. The current requests patch can be upstreamed.
At a certain point we have do to what makes sense for us. Hardcoding some path may be fine for certain individual upstreams, for a distro it's insane though.
Doesn't matter whether the system certificate store was loaded successfully as long as certificate checking is guaranteed to be on always. If loading the store fails (which is basically impossible with the CA directory) all certificate validations would fail. Ie fail-safe behavior.
Feel free to look at the code in the requests module. The actual validation occurs in a totally different place in the code that than the determination of the cert store. The code needs some way to figure out if the store is actually correct, and fall back if necessary.
Are you referring to the code in models.py? if not cert_loc: cert_loc = DEFAULT_CA_BUNDLE_PATH if not cert_loc: raise Exception("Could not find a suitable SSL CA certificate bundle.") I suppose the cert_loc set here ends up as the ca_certs parameter of ssl.wrap_socket() in packages/urllib3/connectionpool.py. So if ssl.wrap_socket would just use the system store if ca_certs=None the lines above could be removed without replacement and without loss of any feature.
You need to handle that anyways. If self-signed certs "work" without any extra handling by an application/module it's pretty obvious that no certificate checking was done ie the connection is unsafe.
But if you make it always on, then you can't use self-signed certs at all. That will break a LOT of things.
Well, if you turn off verification the 'secure' in SSL wouldn't deserve it's name. You could just as well use http then. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.