Date: Wed, 10 Jun 2020 15:47:09 +0000 From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: [Bug 230414] security/py-certifi: add option to use certificate bundle from ca_root_nss Message-ID: <bug-230414-21822-ipvybs25oi@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-230414-21822@https.bugs.freebsd.org/bugzilla/> References: <bug-230414-21822@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D230414 --- Comment #12 from Michael Osipov <michael.osipov@siemens.com> --- OK, let me share a bit differentiated view: * The option needs to be just like for GSS-API: GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT. Converted for this we'd have: CERTS_BASE, CERTS_BUNDLED, CERTS_PORTS (ca_root_nss), CERTS_SSL (ssl.mk bas= ed) * I assume that ca_root_nss will be removed at some point in time because certctl(8) will be is available in 12.2-RELEASE (and hopefully in 11-STABLE) and having NSS certs in base and via ports looks like maintenance overhead * What should now be the default at least on 12? CERTS_BASE. Why? Because if something depends on OpenSSL from base, it should also the certs from /etc/ssl/certs. But it must obey ssl=3D... and point to that certs dir. If Python would have its own TLS implemenation like Java, I would be OK with having a bundled certs store. >From a pkg user's POV, it should work consistently because I cannot change = it, i.e., add certs or block certs to certifi while I can with certctl(8). WDYT? --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-230414-21822-ipvybs25oi>