Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 24 May 2021 07:59:10 +0000
From:      bugzilla-noreply@freebsd.org
To:        python@FreeBSD.org
Subject:   [Bug 251562] security/py-certifi: SSLError 'certificate verify failed' despite correct looking /etc/ssl/cert.pem
Message-ID:  <bug-251562-21822-OFg3ts5Q3e@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-251562-21822@https.bugs.freebsd.org/bugzilla/>
References:  <bug-251562-21822@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251562

--- Comment #3 from Andreas Strauch <andreas.strauch@hotmail.com> ---
(In reply to Kubilay Kocak from comment #2)

Yes, correct. IMHO it would be beneficial to have certifi use the system
provided root store. For the sake of security, the main goal should be to
encourage as much usage of TLS as possible.

As an example: my actual use case is about using certbot. I have the
'py37-certbot' and 'py37-certbot-nginx' packages installed because I run my=
 own
ACME server at home. Of course my own ACME server does not have a TLS
certificate that could be found in official root stores. I have to add the =
TLS
root certificate of my 'personal little enterprise' to the system provided =
root
store. It is a little bit of extra work, but still no problem.

Now, my concern is that if 'private' TLS root certificates have to be added=
 in
multiple places, it might make the case for not bothering and rely on the
'--no-verify-ssl' options (and equivalents) out there. It unnecessarily rai=
ses
the bar on both complexity and effort to use TLS and as such, undermines the
maximum possible speed in which TLS is being used by everybody.

Last but not least, I must admit that I know nothing about Python really an=
d I
don't know the magnitude of implications involved to make such change.
Regardless, I will be happy to help where I can. Please put me in the direc=
tion
of tasks to be done and I will try my best.

--=20
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-251562-21822-OFg3ts5Q3e>