Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

refresh CA certificates #1105

merged 1 commit into from Jan 17, 2013


None yet
2 participants

slingamn commented Jan 17, 2013

In order to resolve the TURKTRUST compromise, and to catch any other
issues that may have fallen through the cracks, I'm changing
the certificate bundle to match the /etc/pki/tls/certs/ca-bundle.crt
on my system, from Fedora 18's package ca-certificates-2012.87-1.fc18.noarch.

See #1102 for some discussion.

As per yum info, the certificate file is public-domain:

$ sudo yum info ca-certificates
Loaded plugins: changelog, langpacks, presto, refresh-packagekit
Installed Packages
Name : ca-certificates
Arch : noarch
Version : 2012.87
Release : 1.fc18
Size : 1.6 M
Repo : installed
From repo : updates
Summary : The Mozilla CA root certificate bundle
URL : http://www.mozilla.org/
License : Public Domain
Description : This package contains the set of CA certificates chosen by the
: Mozilla Foundation for use with the Internet PKI.


slingamn commented Jan 17, 2013

The file appears to have grown from 210K to 697K :-\


kennethreitz commented Jan 17, 2013

I'd prefer to stick with our existing CA bundle.


slingamn commented Jan 17, 2013

Cool, if you're sure we have all the relevant revocations covered. This diff just removes the TURKTRUST roots.

Does certifi require an analogous pull request? Is certifi being end-of-lifed now that it's vendored here?


kennethreitz commented Jan 17, 2013

Yeah, I'll move it to my archive account. Thanks for this!

kennethreitz added a commit that referenced this pull request Jan 17, 2013

@kennethreitz kennethreitz merged commit f8d729a into requests:master Jan 17, 2013

1 check passed

default The Travis build passed

slingamn added a commit to slingamn/requests that referenced this pull request Jan 18, 2013

Remove support for certifi
As per #1105, certifi is being end-of-lifed. Requests will use either
its own vendored bundle, or possibly (when packaged with OS distributions)
an externally packaged bundle, which can be enabled by patching
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment