Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssl.get_default_verify_paths() #62343

Closed
tiran opened this issue Jun 5, 2013 · 11 comments
Closed

ssl.get_default_verify_paths() #62343

tiran opened this issue Jun 5, 2013 · 11 comments
Labels
type-feature A feature request or enhancement

Comments

@tiran
Copy link
Member

tiran commented Jun 5, 2013

BPO 18143
Nosy @brettcannon, @pitrou, @tiran
Files
  • sslverifypath2.patch
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
    closed_at = <Date 2013-06-24.13:42:35.863>
    created_at = <Date 2013-06-05.15:44:20.642>
    labels = ['type-feature']
    title = 'ssl.get_default_verify_paths()'
    updated_at = <Date 2013-06-24.13:42:35.863>
    user = 'https://github.com/tiran'

    bugs.python.org fields:

    activity = <Date 2013-06-24.13:42:35.863>
    actor = 'christian.heimes'
    assignee = 'none'
    closed = True
    closed_date = <Date 2013-06-24.13:42:35.863>
    closer = 'christian.heimes'
    components = []
    creation = <Date 2013-06-05.15:44:20.642>
    creator = 'christian.heimes'
    dependencies = []
    files = ['30476']
    hgrepos = []
    issue_num = 18143
    keywords = ['patch']
    message_count = 11.0
    messages = ['190669', '190672', '190674', '190675', '190678', '190680', '190682', '190801', '190808', '190814', '190859']
    nosy_count = 4.0
    nosy_names = ['brett.cannon', 'pitrou', 'christian.heimes', 'python-dev']
    pr_nums = []
    priority = 'normal'
    resolution = 'fixed'
    stage = 'resolved'
    status = 'closed'
    superseder = None
    type = 'enhancement'
    url = 'https://bugs.python.org/issue18143'
    versions = ['Python 3.4']

    @tiran
    Copy link
    Member Author

    tiran commented Jun 5, 2013

    The patch implements a get_default_verify_paths() function for the ssl module. It returns the env vars and paths that are used by openssl's set_default_verify_paths() to load CA certs from default locations. I think it makes a useful addition for debugging purposes.

    On my system:

    >>> import ssl
    >>> ssl.get_default_verify_paths()
    (None, '/usr/lib/ssl/certs')
    >>> ssl.get_default_verify_paths(raw=True)
    ('SSL_CERT_FILE', '/usr/lib/ssl/cert.pem', 'SSL_CERT_DIR', '/usr/lib/ssl/certs')

    SSL_CTX_set_default_verify_paths() first tries the env var. If the env var is set the second element is ignored.

    @tiran tiran added the type-feature A feature request or enhancement label Jun 5, 2013
    @brettcannon
    Copy link
    Member

    I have no clue what is being returned by this function. Any chance of using types.SimpleNamespace to give meaningful names to the returned values instead of a tuple?

    @tiran
    Copy link
    Member Author

    tiran commented Jun 5, 2013

    Sure! I can add SimpleNamespace.

    The C function returns four elements:

    • environment var that is used to look up the path to a CA cert file
    • path to a CA cert file
    • environment var that is used to look up the path to a CA cert directory
    • path to a CA cert directory

    SSLContext.set_default_verify_paths() is unable to return information if it was able to load any CA certs. With get_default_verify_paths() a developer is able to debug which file or directory is used by OpenSSL. The code is based on OpenSSL's X509_STORE_set_default_paths(). If you want to read up on it:

    http://cvs.openssl.org/fileview?f=openssl/crypto/x509/x509_d2.c&v=1.7
    http://cvs.openssl.org/fileview?f=openssl/crypto/x509/x509_def.c&v=1.5
    http://cvs.openssl.org/fileview?f=openssl/crypto/x509/by_file.c&v=1.12.4.4

    @tiran
    Copy link
    Member Author

    tiran commented Jun 5, 2013

    I forgot that a SimpleNamespace is an unorder collection. However the order is significant. OpenSSL uses the cafile first and ignores capath if a cert in cafile matches. The path to cafile or capath is ignored when the environment key exists -- even when it doesn't point to any existing file or directory.

    I think a named tuple is better here.

    @tiran
    Copy link
    Member Author

    tiran commented Jun 5, 2013

    How about that output, Brett? cafile is None because /usr/lib/ssl/cert.pem doesn't exist on my system.

    >>> import ssl
    >>> ssl.get_default_verify_paths()
    DefaultVerifyPaths(cafile=None, capath='/usr/lib/ssl/certs')
    >>> ssl.get_default_verify_paths(raw=True)
    RawDefaultVerifyPaths(cafile_env_key='SSL_CERT_FILE', cafile='/usr/lib/ssl/cert.pem', capath_env_key='SSL_CERT_DIR', capath='/usr/lib/ssl/certs')

    @brettcannon
    Copy link
    Member

    That's better. As long as you use result[1::2] then the tuple is reasonable to use for the order need and still make sense as an iterable.

    @tiran
    Copy link
    Member Author

    tiran commented Jun 5, 2013

    New patch with tests and documentation.

    @pitrou
    Copy link
    Member

    pitrou commented Jun 8, 2013

    Your "raw" parameter is one too many IMO. You should find a way to present all relevant information in a single API call.

    @tiran
    Copy link
    Member Author

    tiran commented Jun 8, 2013

    How about a single return value:

    DefaultVerifyPaths = collections.namedtuple("DefaultVerifyPaths",
        "cafile capath openssl_cafile_env openssl_cafile openssl_capath_env openssl_capath")

    @pitrou
    Copy link
    Member

    pitrou commented Jun 8, 2013

    How about a single return value:

    DefaultVerifyPaths = collections.namedtuple("DefaultVerifyPaths",
    "cafile capath openssl_cafile_env openssl_cafile openssl_capath_env openssl_capath")

    Sounds good.

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Jun 9, 2013

    New changeset a4d31e56075d by Christian Heimes in branch 'default':
    Issue bpo-18143: Implement ssl.get_default_verify_paths() in order to debug
    http://hg.python.org/cpython/rev/a4d31e56075d

    @tiran tiran closed this as completed Jun 24, 2013
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    type-feature A feature request or enhancement
    Projects
    None yet
    Development

    No branches or pull requests

    3 participants