Date: Tue, 07 Aug 2018 10:35:53 +0000 From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: [Bug 230414] security/py-certifi: add option to use certificate bundle from ca_root_nss Message-ID: <bug-230414-21822-m6xZYIuSmI@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-230414-21822@https.bugs.freebsd.org/bugzilla/> References: <bug-230414-21822@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230414 --- Comment #2 from Sergey Akhmatov <sergey@akhmatov.ru> --- (In reply to Kubilay Kocak from comment #1) I see your point. But the approach to use certifi as a wrapper to "system" trust store is not uncommon. E.g. OpenBSD and Debian is using it by default: http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/devel/py-certifi/patches/patch-certifi_core_py?rev=1.4&content-type=text/x-cvsweb-markup https://sources.debian.org/src/python-certifi/2018.4.16-1/debian/patches/0001-Use-Debian-provided-etc-ssl-certs-ca-certificates.cr.patch/ Is FreeBSD strictly against such approach? The main point is not to use "system" truststore, but to be able to add local trusted certificates to certifi, and certifi doesn't seem to implement it: https://github.com/certifi/python-certifi/issues/22 We could reach this goal if adding local CAs to store would be implemented in ca_root_nss and certifi just using it. Maybe we should start some discussion on maillists to hear more opinions? -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-230414-21822-m6xZYIuSmI>