Feature or enhancement
Proposal:
SSLContext.load_verify_locations can load CA certificates or CRLs to validate against. It provides three parameters: cafile, capath and cadata. While all three can be used to load certificates, only the first two can load revocation lists.
If I have the CRL already in memory (e.g. because some earlier code downloaded and inspected the CRL before use), it has to be written to a file in order to load it.
The following code does not work - it raises an exception:
crl = ... # DER-encoded CRL loaded previously
ctx = ssl.create_default_context()
ctx.load_verify_locations(cadata=crl)
Traceback (most recent call last):
File "<python-input-3>", line 1, in <module>
ctx.load_verify_locations(cadata=crl)
~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^
ssl.SSLError: not enough data: cadata does not contain a certificate (_ssl.c:4219)This workaround works, but is a bit ugly:
crl = ...
ctx = ssl.create_default_context()
with tempfile.NamedTemporaryFile(buffering=0) as f:
f.write(crl)
f.flush()
ctx.load_verify_locations(cafile=f.name)Also, the documentation is not clear on this, currently: Above the description of the three parameters, it says, "This method can also load certification revocation lists (CRLs) in PEM or DER format". In the description of each parameter, only certificates (not CRLs) are mentioned, e.g. "The cafile string, if present, is the path to a file of concatenated CA certificates in PEM format".
There is also no indication that only cafile and capath can take CRLs, and that using cadata for this fails.
Has this already been discussed elsewhere?
This is a minor feature, which does not need previous discussion elsewhere
Links to previous discussion of this feature:
No response
Feature or enhancement
Proposal:
SSLContext.load_verify_locations can load CA certificates or CRLs to validate against. It provides three parameters: cafile, capath and cadata. While all three can be used to load certificates, only the first two can load revocation lists.
If I have the CRL already in memory (e.g. because some earlier code downloaded and inspected the CRL before use), it has to be written to a file in order to load it.
The following code does not work - it raises an exception:
This workaround works, but is a bit ugly:
Also, the documentation is not clear on this, currently: Above the description of the three parameters, it says, "This method can also load certification revocation lists (CRLs) in PEM or DER format". In the description of each parameter, only certificates (not CRLs) are mentioned, e.g. "The cafile string, if present, is the path to a file of concatenated CA certificates in PEM format".
There is also no indication that only
cafileandcapathcan take CRLs, and that usingcadatafor this fails.Has this already been discussed elsewhere?
This is a minor feature, which does not need previous discussion elsewhere
Links to previous discussion of this feature:
No response