https://bugzilla.novell.com/show_bug.cgi?id=761501
https://bugzilla.novell.com/show_bug.cgi?id=761501#c19
--- Comment #19 from Ludwig Nussel
There's nothing the application author needs to know. The situation doesn't get worse. Right now if one doesn't pass a path for a CA bundle two things might happen depending on how modules interact with openssl: a) no ssl checks at all, connection succeeds but is in fact insecure b) ssl connections always fail due to lack of trust anchors
Please consider the following:
1. In the requests module, the subject of this bug report, the code specifies a ca path. It checks for various distribution-specific locations, and failing that, loads the certifi bundle. Your proposed change doesn't affect that in the slightest
Just patch the code away that does a fallback to some bundle. That's better than patchin in yet another path.
2. If the certificate store is loaded automatically, but only in openSUSE (remember that upstream rejected this), and there is no feedback to indicate whether the store actually loaded or not, how can a module author be sure whether the certificates are verified or not? Should they be checking to see
Doesn't matter whether the system certificate store was loaded successfully as long as certificate checking is guaranteed to be on always. If loading the store fails (which is basically impossible with the CA directory) all certificate validations would fail. Ie fail-safe behavior.
3. If certificates were verified by default, what if I were calling something on a server with a self-signed certificate? What if I wanted to communicate with a private OBS instance? It would raise exceptions and I would be stuck and unable to use it
You need to handle that anyways. If self-signed certs "work" without any extra handling by an application/module it's pretty obvious that no certificate checking was done ie the connection is unsafe. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.