[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2015-04-13 Thread Antoine Pitrou
Antoine Pitrou added the comment: Great! Thank you! -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___ ___

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2015-04-13 Thread Christian Heimes
Christian Heimes added the comment: I think we can close this bug for good. -- ___ Python tracker ___ ___ Python-bugs-list mailing lis

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2015-04-13 Thread Antoine Pitrou
Changes by Antoine Pitrou : -- assignee: pitrou -> ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mai

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2014-03-09 Thread Roundup Robot
Roundup Robot added the comment: New changeset 35a5284d5388 by R David Murray in branch 'default': whatsnew: SSLContext.load_default_certs (#19292). http://hg.python.org/cpython/rev/35a5284d5388 -- ___ Python tracker

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-11-23 Thread Roundup Robot
Roundup Robot added the comment: New changeset dfd33140a2b5 by Christian Heimes in branch 'default': Issue #19292: Add SSLContext.load_default_certs() to load default root CA http://hg.python.org/cpython/rev/dfd33140a2b5 -- nosy: +python-dev ___ Pytho

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-11-23 Thread Christian Heimes
Christian Heimes added the comment: New patch with enum (for Antoine), tests and documentation. -- assignee: -> pitrou Added file: http://bugs.python.org/file32793/load_default_certs2.patch ___ Python tracker

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-11-22 Thread Guido van Rossum
Guido van Rossum added the comment: So do you need anything on *this* issue? (And are you asking me to review/approve the other issue? I haven't kept track carefully enough for that, and the beta is looming.) -- ___ Python tracker

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-11-21 Thread Christian Heimes
Christian Heimes added the comment: I have slightly different plans to make it even easier, #19689 -- ___ Python tracker ___ ___ Pytho

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-11-21 Thread Guido van Rossum
Guido van Rossum added the comment: Can you also add a patch to asyncio (I suppose to the code where it calls set_default_verify_paths())? -- ___ Python tracker ___ _

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-11-21 Thread Christian Heimes
Christian Heimes added the comment: The patch implements a new method SSLContext.load_default_certs(). A new method is a required because set_default_verify_paths() doesn't have a way to specify a purpose. Every cert store allows the user to specify the purpose of a certificate (e.g. suitable

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-21 Thread intgr
Changes by intgr : -- nosy: +intgr ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mail

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-19 Thread Christian Heimes
Christian Heimes added the comment: Can somebody step in for #16487 please? For my stuff I just need to load DER as bytes and maybe PEM as str. -- ___ Python tracker ___ ___

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-19 Thread Guido van Rossum
Guido van Rossum added the comment: No, please let's not get in the business of shipping certs. Please not. There should be only *one* place per system where sysadmins have to update certs. It would not scale if every language implementation were to have its own set of certs. Trusting only certs

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-19 Thread Christian Heimes
Christian Heimes added the comment: I fear it's a bit too late in the release cycle to get it right. Feature freeze is in about a month and this is a major change. The set_default_verify_paths() works only on some Unix platforms when OpenSSL configured with the distribution-specific paths to

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-19 Thread Antoine Pitrou
Antoine Pitrou added the comment: > But do you agree that the urllib default should be changed? Well, I'm fine for 3.4, even though I'm not particularly enthusiastic :-) -- ___ Python tracker _

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-19 Thread Guido van Rossum
Guido van Rossum added the comment: But do you agree that the urllib default should be changed? -- ___ Python tracker ___ ___ Python-b

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-19 Thread Antoine Pitrou
Antoine Pitrou added the comment: > Tools like svn and hg have extensive configurations for this purpose, and > (at least hg) secure defaults; I certainly remember having to deal with hg > complaining about the security of some repo site, where the fix was > something I had to put in my .hgrc. Th

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-19 Thread Guido van Rossum
Guido van Rossum added the comment: So you agree that we should change the urllib default in 3.4? I'm all for that. Tools like svn and hg have extensive configurations for this purpose, and (at least hg) secure defaults; I certainly remember having to deal with hg complaining about the security

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-19 Thread Antoine Pitrou
Antoine Pitrou added the comment: > @Antoine: I still claim that a flag that defaults to no security is a > vulnerability -- nobody reads warnings in docs until *after* they've been > bitten. It should be an explicit choice in the script or app to disable > certificate checking. If we were intro

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-19 Thread Christian Heimes
Christian Heimes added the comment: Am 19.10.2013 18:02, schrieb Guido van Rossum: > @Christian: What is holding up those patches? I don't believe we should be > in the business of distributing certificates -- we should however make it > easy to use the system certificates. The usual issues: lac

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-19 Thread Guido van Rossum
Guido van Rossum added the comment: @Christian: What is holding up those patches? I don't believe we should be in the business of distributing certificates -- we should however make it easy to use the system certificates. @Antoine: I still claim that a flag that defaults to no security is a vuln

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-19 Thread Antoine Pitrou
Antoine Pitrou added the comment: > Why is this not a security patch? Because it's not a "vulnerability" > in the narrow technical sense? I expect that it will greatly increase > the actual practical security, by making it easier to do the right > thing. IMO it's not a vulnerability. It's not a

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-19 Thread Christian Heimes
Christian Heimes added the comment: http://www.python.org/dev/peps/pep-0453/#bundling-ca-certificates-with-cpython proposes that ensurepip comes with a default CA cert bundle, too. I see two issues with the proposal: 1) We must have a way to update the cert bundle outside the release cycle, e.

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-19 Thread Christian Heimes
Christian Heimes added the comment: I've implemented most of the necessarily bindings in #17134. It's still missing trust setting checks and #16487 to load certs from memory or file object. -- ___ Python tracker _

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-18 Thread Guido van Rossum
Guido van Rossum added the comment: Why is this not a security patch? Because it's not a "vulnerability" in the narrow technical sense? I expect that it will greatly increase the actual practical security, by making it easier to do the right thing. -- _

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-18 Thread Antoine Pitrou
Antoine Pitrou added the comment: > Maybe once this is addressed we could also change urllib.request.urlopen() to > default to cadefault=True? I don't think it's ok to change the default and break compatibility. Passing True manually is easy enough. -- nosy: +pitrou _

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-18 Thread Antoine Pitrou
Changes by Antoine Pitrou : -- nosy: +christian.heimes type: security -> enhancement versions: -Python 3.3 ___ Python tracker ___ ___

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-18 Thread Guido van Rossum
Guido van Rossum added the comment: Maybe once this is addressed we could also change urllib.request.urlopen() to default to cadefault=True? -- ___ Python tracker ___ __

[issue19292] Make SSLContext.set_default_verify_paths() work on Windows

2013-10-18 Thread Guido van Rossum
New submission from Guido van Rossum: See discussion on https://groups.google.com/forum/#!topic/python-tulip/c_lqdFjPEbE . If you set sslcontext.verify_mode = ssl.CERT_REQUIRED and call sslcontext.set_default_verify_paths(), the stdlib ought to have enough smarts to use the system root certif