Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 29 Dec 2014 16:36:26 +1100
From:      Kubilay Kocak <koobs@FreeBSD.org>
To:        "James D. Lin" <jamesdlin@gmail.com>, python@freebsd.org
Subject:   Re: Python 2.7.9 looks for SSL certificates in /etc/ssl instead of /usr/local/etc/ssl
Message-ID:  <54A0E85A.4030404@FreeBSD.org>
In-Reply-To: <CADPatTdEmWSQDDx-eZ8ba3Pa_a2phzGME8CbeTcvpSPvckB45Q@mail.gmail.com>
References:  <CADPatTdEmWSQDDx-eZ8ba3Pa_a2phzGME8CbeTcvpSPvckB45Q@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 29/12/2014 4:18 PM, James D. Lin wrote:
> Hello,
> 
> I recently upgraded to Python 2.7.9 from the ports collection on my FreeBSD
> 10.0 system, and Python 2.7.9's change to enable SSL verification
> unexpectedly broke several of my Python scripts that made https connections
> to sites with valid SSL certificates.  The reason is that Python is looking
> for the CA file at /etc/ssl/cert.pem, which does not exist in my FreeBSD
> installation.  I do, however, have a /usr/local/etc/ssl/cert.pem file
> (which is actually a symlink to /usr/local/share/certs/ca-root-nss.crt):
> Calling ssl.get_default_verify_paths() in Python returns:
> 
> DefaultVerifyPaths(cafile=None,
>                    capath=None,
>                    openssl_cafile_env='SSL_CERT_FILE',
>                    openssl_cafile='/etc/ssl/cert.pem',
>                    openssl_capath_env='SSL_CERT_DIR',
>                    openssl_capath='/etc/ssl/certs')
> 
> Is this something that can (and should) be corrected in the Python 2.7.9
> port?
> 
> Thanks,
> 
> - James

James,

It's a bit of a spider web between base and ports openssl, along with
the ca_root_nss port, and various search path compatibility issues with
various consuming software (from ports).

What I can say is that *out of the box* (not base) support for SSL
certificate verification is important and we want to make it better, so
identifying the gaps is key.

You can see some more detail in the following issue, in which I also
mention Python move to verification by default:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=189811

If you have anything to add, please comment as user feedback is very
important.

The Python team is also available on IRC at #freebsd-python (freenode)
if you want to discuss anything further :)

Thanks!

koobs




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54A0E85A.4030404>