https://bugzilla.novell.com/show_bug.cgi?id=761501
https://bugzilla.novell.com/show_bug.cgi?id=761501#c17
--- Comment #17 from Ludwig Nussel
So let's assume we patch Python for openSUSE. If we make it load the store by default, module authors will have a hard time distinguishing between our patched version and other versions. There is no way to really check if it was successful, especially since the OpenSSL call fails silently.
However, if we go with my original suggestion and patch to allow loading directory stores, it will be obvious when it doesn't work.
There's nothing the application author needs to know. The situation doesn't get worse. Right now if one doesn't pass a path for a CA bundle two things might happen depending on how modules interact with openssl: a) no ssl checks at all, connection succeeds but is in fact insecure b) ssl connections always fail due to lack of trust anchors Neither is desirable. By patching the layer above openssl to always load the default store if no bundle/dir was given explicitly connections will be safe by default. There won't be a disadvantage for applications. Connections that previously worked but were insecure now correctly fail. Connections that didn't work before because of missing trust store start to work. I don't think the patch is inappropriate or too intrusive for python2. The alternative of patching potentially dozends of modules and applications to hardcode the CA path is worse. Esp since we might decide to use a different default location or even format in the future. Fedora for example has an extra location with certificates in openssl's "TRUSTED CERTIFICATE" format which cannot be used in /etc/ssl/certs for compatibility reasons. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.