Clarify PyOpenSSL requirements for loading system CA certs

XMLWordPrintableJSON

    • Type: Improvement
    • Resolution: Fixed
    • Priority: Major - P3
    • 3.12, 4.0
    • Affects Version/s: None
    • Component/s: None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      According to PyOpenSSL's docs, it has no way to load CA certs on Windows, and can only load them from Homebrew's OpenSSL on mac OS.

      https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_default_verify_paths

      We didn't notice this, I think, because we have wincertstore installed for all our test Pythons on Windows, and presumably have Homebrew installed on all our macOS hosts. Wincertstore hasn't had a release in years and only claims to support up to Python 3.4.

      I'd like to see if we can read CA certs on both Windows and macOS using CPython's ssl module, then load them into PyOpenSSL, perhaps using these APIs:

      https://docs.python.org/3/library/ssl.html#ssl.SSLContext.get_ca_certs
      https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.get_cert_store
      https://www.pyopenssl.org/en/stable/api/crypto.html#OpenSSL.crypto.X509Store.add_cert

              Assignee:
              Bernie Hackett
              Reporter:
              Bernie Hackett
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: