Skip to content

Call SSL_CTX_load_verify_locations by default when initializing an SSL_CTX #632

Description

@reaperhulk

cryptography is planning to ship a manylinux1 wheel soon(ish). Unfortunately, the default verify location for SSL_CTX is defined during compile and different linux distributions choose different locations. This means that pyOpenSSL will experience issues with finding certificate trust stores on many distributions unless we make a change. To (generally) preserve the existing behavior it has been proposed that we write some code that iterates over a set of possible paths and finds the cert store. This would mimic the existing behavior of Go (root_linux.go).

To a first approximation this PR would add a method call in SSL.Context.__init__ that finds the root store and then calls SSL_CTX_load_verify_locations on the context.

Update: The original proposal here is nowhere near what has actually been implemented. See #633 for details.

cc @alex @hynek @Lukasa @njsmith @tiran to see if anybody has objections to this approach.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions