-
-
Notifications
You must be signed in to change notification settings - Fork 30.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssl.get_default_verify_paths() #62343
Comments
The patch implements a get_default_verify_paths() function for the ssl module. It returns the env vars and paths that are used by openssl's set_default_verify_paths() to load CA certs from default locations. I think it makes a useful addition for debugging purposes. On my system: >>> import ssl
>>> ssl.get_default_verify_paths()
(None, '/usr/lib/ssl/certs')
>>> ssl.get_default_verify_paths(raw=True)
('SSL_CERT_FILE', '/usr/lib/ssl/cert.pem', 'SSL_CERT_DIR', '/usr/lib/ssl/certs') SSL_CTX_set_default_verify_paths() first tries the env var. If the env var is set the second element is ignored. |
I have no clue what is being returned by this function. Any chance of using types.SimpleNamespace to give meaningful names to the returned values instead of a tuple? |
Sure! I can add SimpleNamespace. The C function returns four elements:
SSLContext.set_default_verify_paths() is unable to return information if it was able to load any CA certs. With get_default_verify_paths() a developer is able to debug which file or directory is used by OpenSSL. The code is based on OpenSSL's X509_STORE_set_default_paths(). If you want to read up on it: http://cvs.openssl.org/fileview?f=openssl/crypto/x509/x509_d2.c&v=1.7 |
I forgot that a SimpleNamespace is an unorder collection. However the order is significant. OpenSSL uses the cafile first and ignores capath if a cert in cafile matches. The path to cafile or capath is ignored when the environment key exists -- even when it doesn't point to any existing file or directory. I think a named tuple is better here. |
How about that output, Brett? cafile is None because /usr/lib/ssl/cert.pem doesn't exist on my system. >>> import ssl
>>> ssl.get_default_verify_paths()
DefaultVerifyPaths(cafile=None, capath='/usr/lib/ssl/certs')
>>> ssl.get_default_verify_paths(raw=True)
RawDefaultVerifyPaths(cafile_env_key='SSL_CERT_FILE', cafile='/usr/lib/ssl/cert.pem', capath_env_key='SSL_CERT_DIR', capath='/usr/lib/ssl/certs') |
That's better. As long as you use result[1::2] then the tuple is reasonable to use for the order need and still make sense as an iterable. |
New patch with tests and documentation. |
Your "raw" parameter is one too many IMO. You should find a way to present all relevant information in a single API call. |
How about a single return value: DefaultVerifyPaths = collections.namedtuple("DefaultVerifyPaths",
"cafile capath openssl_cafile_env openssl_cafile openssl_capath_env openssl_capath") |
Sounds good. |
New changeset a4d31e56075d by Christian Heimes in branch 'default': |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: