Uploaded image for project: 'Python Driver'
  1. Python Driver
  2. PYTHON-2508

Clarify PyOpenSSL requirements for loading system CA certs

XMLWordPrintableJSON

    • Type: Icon: Improvement Improvement
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 3.12, 4.0
    • Affects Version/s: None
    • Component/s: None
    • Labels:
      None

      According to PyOpenSSL's docs, it has no way to load CA certs on Windows, and can only load them from Homebrew's OpenSSL on mac OS.

      https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_default_verify_paths

      We didn't notice this, I think, because we have wincertstore installed for all our test Pythons on Windows, and presumably have Homebrew installed on all our macOS hosts. Wincertstore hasn't had a release in years and only claims to support up to Python 3.4.

      I'd like to see if we can read CA certs on both Windows and macOS using CPython's ssl module, then load them into PyOpenSSL, perhaps using these APIs:

      https://docs.python.org/3/library/ssl.html#ssl.SSLContext.get_ca_certs
      https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.get_cert_store
      https://www.pyopenssl.org/en/stable/api/crypto.html#OpenSSL.crypto.X509Store.add_cert

            Assignee:
            bernie@mongodb.com Bernie Hackett
            Reporter:
            bernie@mongodb.com Bernie Hackett
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: