New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
address compromised TURKTRUST certificates #1102
Comments
Hmm, I tried to follow the instructions here: [https://gist.github.com/996292] but the URL given there for certdata.txt points to a file dated December 29, 2012, and it doesn't change the status of any TURKTRUST certificates. I'll ask around. |
Hmm, OK. The December 29th file ([https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1] ) has the changes we need at the very end, but they take the form of blacklisting the affected intermediate certificates rather than removing the root certificates. The process of converting this to a .pem seems to lose this information. |
yeah, i always remove them by hand. Care to send a PR with the CA removed? |
My current understanding is that Python's ssl module lacks support for blacklisting intermediate certificates, it can only whitelist roots. Thus the file I'm submitting in the pull request removes the TURKTRUST roots entirely. |
Please note that most browsers still trust the TURKTRUST root CA, so this patch will cause some mismatch to what browsers do. |
Agreed, this is suboptimal. We're doing this because Python's ssl module doesn't seem to support this kind of sophisticated blacklisting behavior. Python's ssl module is weird; there's a baseline of documented functionality, and then some platforms appear to have undocumented extensions. See #629 for an issue of this kind. |
It seems likely that
requests/cacerts.pem
is affected by the recent compromise of TURKTRUST certificates. However, I'm not sure what exactly we need to do to fix this. Removing both of the root certs we currently have in there is probably wrong.Maybe @saschpe can advise?
The text was updated successfully, but these errors were encountered: