Date: Tue, 07 Aug 2018 10:35:53 +0000 From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: [Bug 230414] security/py-certifi: add option to use certificate bundle from ca_root_nss Message-ID: <bug-230414-21822-m6xZYIuSmI@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-230414-21822@https.bugs.freebsd.org/bugzilla/> References: <bug-230414-21822@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D230414 --- Comment #2 from Sergey Akhmatov <sergey@akhmatov.ru> --- (In reply to Kubilay Kocak from comment #1) I see your point. But the approach to use certifi as a wrapper to "system" trust store is not uncommon. E.g. OpenBSD and Debian is using it by default: http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/devel/py-certifi/patches/pat= ch-certifi_core_py?rev=3D1.4&content-type=3Dtext/x-cvsweb-markup https://sources.debian.org/src/python-certifi/2018.4.16-1/debian/patches/00= 01-Use-Debian-provided-etc-ssl-certs-ca-certificates.cr.patch/ Is FreeBSD strictly against such approach? The main point is not to use "system" truststore, but to be able to add loc= al trusted certificates to certifi, and certifi doesn't seem to implement it: https://github.com/certifi/python-certifi/issues/22 We could reach this goal if adding local CAs to store would be implemented = in ca_root_nss and certifi just using it. Maybe we should start some discussion on maillists to hear more opinions? --=20 You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-230414-21822-m6xZYIuSmI>