cryptography is planning to ship a manylinux1 wheel soon(ish). Unfortunately, the default verify location for SSL_CTX is defined during compile and different linux distributions choose different locations. This means that pyOpenSSL will experience issues with finding certificate trust stores on many distributions unless we make a change. To (generally) preserve the existing behavior it has been proposed that we write some code that iterates over a set of possible paths and finds the cert store. This would mimic the existing behavior of Go (root_linux.go).
To a first approximation this PR would add a method call in SSL.Context.__init__ that finds the root store and then calls SSL_CTX_load_verify_locations on the context.
Update: The original proposal here is nowhere near what has actually been implemented. See #633 for details.
cc @alex @hynek @Lukasa @njsmith @tiran to see if anybody has objections to this approach.
cryptographyis planning to ship amanylinux1wheel soon(ish). Unfortunately, the default verify location for SSL_CTX is defined during compile and different linux distributions choose different locations. This means that pyOpenSSL will experience issues with finding certificate trust stores on many distributions unless we make a change. To (generally) preserve the existing behavior it has been proposed that we write some code that iterates over a set of possible paths and finds the cert store. This would mimic the existing behavior of Go (root_linux.go).To a first approximation this PR would add a method call in
SSL.Context.__init__that finds the root store and then callsSSL_CTX_load_verify_locationson the context.Update: The original proposal here is nowhere near what has actually been implemented. See #633 for details.
cc @alex @hynek @Lukasa @njsmith @tiran to see if anybody has objections to this approach.