-
-
Notifications
You must be signed in to change notification settings - Fork 29.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ctx.load_verify_locations(cadata) #62338
Comments
The patch implements an add_cert(pem_or_der_data) method for the ssl.SSLContext() object. On success the method adds a trusted CA cert to the context's internal cert store. The CA certificate can either be an ASCII unicode string (PEM format) or buffer object (DER / ASN1 format). The patch also implements a get_cert_count() method for debugging. I'm going to remove that function eventually as it doesn't give correct answers when the object table contains CRLs, too. A correct implementation might be useful to verify set_default_verify_paths(). I've split up the functions so I can re-use _add_cert() in my upcoming patch for an interface to crypt32.dll on Windows. |
New patch:
|
Here is a simplified version of the C function. It uses y* or es# "ascii" to parse the argument. The check for trailing data ensures that the user gets an error message if she tries to load a PEM string with multiple certs. She might expect that add_ca_cert(pem) loads all PEM certs from the string while in fact PEM_read_bio_X509() only loads the first cert. The new patch make the check optional. I still need to find a good name for the option, though... |
I don't think it is useful. Just make the behaviour well-documented. |
I'm pondering about the error case "cert already in hash table". There should be a way to distinguish the error from other errors. I see three ways to handle the case:
I like 3). |
Le mardi 18 juin 2013 à 17:30 +0000, Christian Heimes a écrit :
I don't know if you've seen it, but SSLError has "library" and "reason"
Yes, sounds reasonable. |
Yes, I have seen them. In fact OpenSSL has library, function and reason. if ((ERR_GET_LIB(errcode) == ERR_LIB_X509) && I'm going for 3) |
I think the patch in bpo-16487 does too many things at once. The new patch is a draft for a new patch that adds SSLContext.load_verify_locations(cadata) to the SSL module. cadata can be a bunch of PEM encoded certs (ASCII) or DER encoded certs (bytes-like). The patch may contain bugs as I haven't verified all error paths yet. |
Final patch |
New changeset 234e3c8dc52f by Christian Heimes in branch 'default': |
Memo to me: update whatsnew |
New changeset 8e3b3b4a90fb by R David Murray in branch 'default': |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: