On 04/08/2017 15:44, Robin Becker wrote: > .......... >> >> Hi Robin >> >> I am not sure how this is any benefit over the self-signed root certs that I >> now use? >> >> Except for the fact that these are a root cert as well and don't use any CA >> trust chain. >> To be able to validate this cert, I have to load it as a CA cert on the >> validating side. >> Which isn't bad perse. >> >> I've used openssl as mentioned here to create my certs: >> https://docs.python.org/3.7/library/ssl.html#self-signed-certificates > .........Welle I was thinking perhaps you had trouble with self signed certs > for some > reason. I only used CA type setup because some recipe for mongo clusters > seems to want > that. I think the mariadb clusters were fine with simple self signed certs. > However, if > I control the cluster can I not just distribute the cert to all members and > have them > validate it against itself or does python refuse to do that? I vaguely > remember some > python apis allow the authority chain to be specified.
You can specify a CAcert using load_verify_locations on the ssl context. Is that what you meant? I figured out that if you set that to the peer's certificate it will then be accepted. I understand it as much as "hey openssl here is a root cert that you should trust if you encounter it". Without doing this, the cert is denied on the SSL level (unless you set the ssl options to no-cert-required but that is definitely not what I wanted) Bottom line is I learned something new :) And also that Python's standard ssl library isn't as bad as I remember it to be a few years ago. Is there still a reason to use, say, PyOpenSSL anymore? Irmen -- https://mail.python.org/mailman/listinfo/python-list
