From owner-freebsd-python@FreeBSD.ORG  Mon Dec 29 05:36:41 2014
Return-Path: <owner-freebsd-python@FreeBSD.ORG>
Delivered-To: python@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 9B29E124
 for <python@freebsd.org>; Mon, 29 Dec 2014 05:36:41 +0000 (UTC)
Received: from mail-pa0-x235.google.com (mail-pa0-x235.google.com
 [IPv6:2607:f8b0:400e:c03::235])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 655886A7
 for <python@freebsd.org>; Mon, 29 Dec 2014 05:36:41 +0000 (UTC)
Received: by mail-pa0-f53.google.com with SMTP id kq14so16465079pab.26
 for <python@freebsd.org>; Sun, 28 Dec 2014 21:36:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=sender:message-id:date:from:reply-to:user-agent:mime-version:to
 :subject:references:in-reply-to:content-type
 :content-transfer-encoding;
 bh=S8u0nqiw6AKyQ8kA3s1+SjTp5lCntCHvJy6o3ryQo/Q=;
 b=G29z+Ux8Uo2nKZ4emmXXjjo3hV1YNoq1G47YBOs0tOCyEgbFv+4e8YtPhBZfibhMeE
 bbxMsSO6vWHbQEDR9Rj9OpCe+XdQs7PYxFSQXiWbXVG6IxPKAkQq4klQsU9SSLxl2S2u
 RdLMMNtl2S5hmieoL31DuqgWpeMeFPiChh0aNPgBWaIihIt8kKKJKYMosFBwIpP+X1KI
 jptYGtfOJRlcCPmFR1Y41QcRIlCNjiOJoatmWEFSs8DmDtWdFILnOnb82W7V29j3ys+A
 REa/w0VH+6cyi5fu79aZf/2GXKjU7HNRMI29P0PMI17A7gjAjsBIfRhzt+zWoNn46RTA
 UlsA==
X-Received: by 10.68.229.73 with SMTP id so9mr86344608pbc.2.1419831401040;
 Sun, 28 Dec 2014 21:36:41 -0800 (PST)
Received: from [192.168.1.109] (ppp59-167-128-11.static.internode.on.net.
 [59.167.128.11])
 by mx.google.com with ESMTPSA id hx9sm34604480pad.38.2014.12.28.21.36.39
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sun, 28 Dec 2014 21:36:40 -0800 (PST)
Sender: Kubilay Kocak <koobs.freebsd@gmail.com>
Message-ID: <54A0E85A.4030404@FreeBSD.org>
Date: Mon, 29 Dec 2014 16:36:26 +1100
From: Kubilay Kocak <koobs@FreeBSD.org>
Reply-To: koobs@FreeBSD.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:34.0) Gecko/20100101 Thunderbird/34.0
MIME-Version: 1.0
To: "James D. Lin" <jamesdlin@gmail.com>, python@freebsd.org
Subject: Re: Python 2.7.9 looks for SSL certificates in /etc/ssl
 instead of /usr/local/etc/ssl
References: <CADPatTdEmWSQDDx-eZ8ba3Pa_a2phzGME8CbeTcvpSPvckB45Q@mail.gmail.com>
In-Reply-To: <CADPatTdEmWSQDDx-eZ8ba3Pa_a2phzGME8CbeTcvpSPvckB45Q@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-python@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: FreeBSD-specific Python issues <freebsd-python.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-python>,
 <mailto:freebsd-python-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-python/>
List-Post: <mailto:freebsd-python@freebsd.org>
List-Help: <mailto:freebsd-python-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-python>,
 <mailto:freebsd-python-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Dec 2014 05:36:41 -0000

On 29/12/2014 4:18 PM, James D. Lin wrote:
> Hello,
> 
> I recently upgraded to Python 2.7.9 from the ports collection on my FreeBSD
> 10.0 system, and Python 2.7.9's change to enable SSL verification
> unexpectedly broke several of my Python scripts that made https connections
> to sites with valid SSL certificates.  The reason is that Python is looking
> for the CA file at /etc/ssl/cert.pem, which does not exist in my FreeBSD
> installation.  I do, however, have a /usr/local/etc/ssl/cert.pem file
> (which is actually a symlink to /usr/local/share/certs/ca-root-nss.crt):
> Calling ssl.get_default_verify_paths() in Python returns:
> 
> DefaultVerifyPaths(cafile=None,
>                    capath=None,
>                    openssl_cafile_env='SSL_CERT_FILE',
>                    openssl_cafile='/etc/ssl/cert.pem',
>                    openssl_capath_env='SSL_CERT_DIR',
>                    openssl_capath='/etc/ssl/certs')
> 
> Is this something that can (and should) be corrected in the Python 2.7.9
> port?
> 
> Thanks,
> 
> - James

James,

It's a bit of a spider web between base and ports openssl, along with
the ca_root_nss port, and various search path compatibility issues with
various consuming software (from ports).

What I can say is that *out of the box* (not base) support for SSL
certificate verification is important and we want to make it better, so
identifying the gaps is key.

You can see some more detail in the following issue, in which I also
mention Python move to verification by default:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=189811

If you have anything to add, please comment as user feedback is very
important.

The Python team is also available on IRC at #freebsd-python (freenode)
if you want to discuss anything further :)

Thanks!

koobs