https://bugzilla.novell.com/show_bug.cgi?id=761501
https://bugzilla.novell.com/show_bug.cgi?id=761501#c12
--- Comment #12 from James Oakley 2012-05-16 20:52:48 UTC ---
Well, the good news is that I convinced upstream to allow for loading the
system store in urlopen() for Python 3. I just submitted a patch to do just
that.
The idea seems to be dead for 2.x, however.
So let's assume we patch Python for openSUSE. If we make it load the store by
default, module authors will have a hard time distinguishing between our
patched version and other versions. There is no way to really check if it was
successful, especially since the OpenSSL call fails silently.
However, if we go with my original suggestion and patch to allow loading
directory stores, it will be obvious when it doesn't work.
For example, the requests module checks various distribution-specific paths for
the default store, and falls back to certifi if none are found:
DEFAULT_CA_BUNDLE_PATH = CERTIFI_BUNDLE_PATH or get_os_ca_bundle_path()
This can be changed to:
import socket
import ssl
import _ssl
try:
_ssl.sslwrap(socket.socket()._sock, False, None, None,
ssl.CERT_REQUIRED, ssl.PROTOCOL_SSLv23, "/etc/ssl/certs", None)
DEFAULT_CA_BUNDLE_PATH = "/etc/ssl/certs"
except ssl.SSLError:
DEFAULT_CA_BUNDLE_PATH = CERTIFI_BUNDLE_PATH or get_os_ca_bundle_path()
That will allow for loading "/etc/ssl/certs" where supported and falls back if
not, which means that we can submit to 3rd-party modules such as requests, and
it will do the right thing regardless of version.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.