Re: [Python-Dev] PEP476: Enabling certificate validation by default

2014-09-21 Thread Christian Heimes 
On 21.09.2014 01:03, Nick Coghlan wrote:
> We may also need some clarification from Ned regarding the status of
> OpenSSL and the potential impact switching from dynamic linking to
> static linking of OpenSSL may have in terms of the
> "OPENSSL_X509_TEA_DISABLE" setting.

You may want to ask Hynek, too. He initially discovered the issue and
made me aware how Apple is tying keychain into OpenSSL. You may find the
code in:

http://opensource.apple.com/source/OpenSSL098/OpenSSL098-35.1/src/crypto/x509/x509_vfy_apple.h
http://opensource.apple.com/source/OpenSSL098/OpenSSL098-35.1/src/crypto/x509/x509_vfy_apple.c


The TEA (Trust Evaluation Agent) switch is global and affects all SSL
context instances. There is non canonical way to set the TEA flag for a
single context or socket.


/* -1: not set
 *  0: set to false
 *  1: set to true
 */
static tea_enabled = -1;

void
X509_TEA_set_state(int change)
{
tea_enabled = (change) ? 1 : 0;
}

int
X509_TEA_is_enabled()
{
if (tea_enabled < 0)
tea_enabled = (NULL == getenv(X509_TEA_ENV_DISABLE));

return tea_enabled != 0;
}


___
Python-Dev mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] PEP476: Enabling certificate validation by default

2014-09-21 Thread Larry Hastings 


On 09/20/2014 11:05 PM, Nick Coghlan wrote:

On 21 September 2014 03:05, Alex Gaynor  wrote:

That sounds reasonable to me -- at this point I don't expect this to make it
into 3.4.2; Nick has some working code on the ticket:
http://bugs.python.org/issue22417 it's mostly missing documentation.

I also think it's more sensible to target 2.7.9 & 3.4.3 for this
change, especially given the remaining rough edges in custom trust
database configuration on WIndows and Mac OS X that Christian pointed
out in http://bugs.python.org/issue22449


FWIW, I tagged 3.4.2rc1 about 24 hours ago, so it certainly didn't make 
it into that.  I could live with it going into 3.4.2 final if the 
community was convinced that was the right thing to do.  But I'm more 
than happy about the conservative turn the plans have taken.


If this isn't going in until 3.4.3, does that mean we need 3.4.3 on any 
sort of particular schedule?



//arry/
___
Python-Dev mailing list
[email protected]
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com