From owner-freebsd-python@FreeBSD.ORG Mon Dec 29 05:36:41 2014 Return-Path: Delivered-To: python@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9B29E124 for ; Mon, 29 Dec 2014 05:36:41 +0000 (UTC) Received: from mail-pa0-x235.google.com (mail-pa0-x235.google.com [IPv6:2607:f8b0:400e:c03::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 655886A7 for ; Mon, 29 Dec 2014 05:36:41 +0000 (UTC) Received: by mail-pa0-f53.google.com with SMTP id kq14so16465079pab.26 for ; Sun, 28 Dec 2014 21:36:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=S8u0nqiw6AKyQ8kA3s1+SjTp5lCntCHvJy6o3ryQo/Q=; b=G29z+Ux8Uo2nKZ4emmXXjjo3hV1YNoq1G47YBOs0tOCyEgbFv+4e8YtPhBZfibhMeE bbxMsSO6vWHbQEDR9Rj9OpCe+XdQs7PYxFSQXiWbXVG6IxPKAkQq4klQsU9SSLxl2S2u RdLMMNtl2S5hmieoL31DuqgWpeMeFPiChh0aNPgBWaIihIt8kKKJKYMosFBwIpP+X1KI jptYGtfOJRlcCPmFR1Y41QcRIlCNjiOJoatmWEFSs8DmDtWdFILnOnb82W7V29j3ys+A REa/w0VH+6cyi5fu79aZf/2GXKjU7HNRMI29P0PMI17A7gjAjsBIfRhzt+zWoNn46RTA UlsA== X-Received: by 10.68.229.73 with SMTP id so9mr86344608pbc.2.1419831401040; Sun, 28 Dec 2014 21:36:41 -0800 (PST) Received: from [192.168.1.109] (ppp59-167-128-11.static.internode.on.net. [59.167.128.11]) by mx.google.com with ESMTPSA id hx9sm34604480pad.38.2014.12.28.21.36.39 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 28 Dec 2014 21:36:40 -0800 (PST) Sender: Kubilay Kocak Message-ID: <54A0E85A.4030404@FreeBSD.org> Date: Mon, 29 Dec 2014 16:36:26 +1100 From: Kubilay Kocak Reply-To: koobs@FreeBSD.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Thunderbird/34.0 MIME-Version: 1.0 To: "James D. Lin" , python@freebsd.org Subject: Re: Python 2.7.9 looks for SSL certificates in /etc/ssl instead of /usr/local/etc/ssl References: In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-python@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: FreeBSD-specific Python issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2014 05:36:41 -0000 On 29/12/2014 4:18 PM, James D. Lin wrote: > Hello, > > I recently upgraded to Python 2.7.9 from the ports collection on my FreeBSD > 10.0 system, and Python 2.7.9's change to enable SSL verification > unexpectedly broke several of my Python scripts that made https connections > to sites with valid SSL certificates. The reason is that Python is looking > for the CA file at /etc/ssl/cert.pem, which does not exist in my FreeBSD > installation. I do, however, have a /usr/local/etc/ssl/cert.pem file > (which is actually a symlink to /usr/local/share/certs/ca-root-nss.crt): > Calling ssl.get_default_verify_paths() in Python returns: > > DefaultVerifyPaths(cafile=None, > capath=None, > openssl_cafile_env='SSL_CERT_FILE', > openssl_cafile='/etc/ssl/cert.pem', > openssl_capath_env='SSL_CERT_DIR', > openssl_capath='/etc/ssl/certs') > > Is this something that can (and should) be corrected in the Python 2.7.9 > port? > > Thanks, > > - James James, It's a bit of a spider web between base and ports openssl, along with the ca_root_nss port, and various search path compatibility issues with various consuming software (from ports). What I can say is that *out of the box* (not base) support for SSL certificate verification is important and we want to make it better, so identifying the gaps is key. You can see some more detail in the following issue, in which I also mention Python move to verification by default: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=189811 If you have anything to add, please comment as user feedback is very important. The Python team is also available on IRC at #freebsd-python (freenode) if you want to discuss anything further :) Thanks! koobs