address compromised TURKTRUST certificates

[slingamn]

It seems likely that requests/cacerts.pem is affected by the recent compromise of TURKTRUST certificates. However, I'm not sure what exactly we need to do to fix this. Removing both of the root certs we currently have in there is probably wrong.

Maybe @saschpe can advise?

[slingamn]

Hmm, I tried to follow the instructions here: [https://gist.github.com/996292]

but the URL given there for certdata.txt points to a file dated December 29, 2012, and it doesn't change the status of any TURKTRUST certificates. I'll ask around.

[slingamn]

Hmm, OK. The December 29th file ([https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1] ) has the changes we need at the very end, but they take the form of blacklisting the affected intermediate certificates rather than removing the root certificates. The process of converting this to a .pem seems to lose this information.

[kennethreitz]

yeah, i always remove them by hand. Care to send a PR with the CA removed?

[slingamn]

My current understanding is that Python's ssl module lacks support for blacklisting intermediate certificates, it can only whitelist roots. Thus the file I'm submitting in the pull request removes the TURKTRUST roots entirely.

[freddyb]

Please note that most browsers still trust the TURKTRUST root CA, so this patch will cause some mismatch to what browsers do.
Mozilla, for example, has only blacklisted the intermediate certificates that TURKTRUST wrongly issued. See https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/

[slingamn]

Agreed, this is suboptimal. We're doing this because Python's ssl module doesn't seem to support this kind of sophisticated blacklisting behavior.

Python's ssl module is weird; there's a baseline of documented functionality, and then some platforms appear to have undocumented extensions. See #629 for an issue of this kind.