[Bug 251562] security/py-certifi: SSLError 'certificate verify failed' despite correct looking /etc/ssl/cert.pem

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 24 May 2021 07:59:10 +0000
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251562

--- Comment #3 from Andreas Strauch <andreas.strauch_at_hotmail.com> ---
(In reply to Kubilay Kocak from comment #2)

Yes, correct. IMHO it would be beneficial to have certifi use the system
provided root store. For the sake of security, the main goal should be to
encourage as much usage of TLS as possible.

As an example: my actual use case is about using certbot. I have the
'py37-certbot' and 'py37-certbot-nginx' packages installed because I run my own
ACME server at home. Of course my own ACME server does not have a TLS
certificate that could be found in official root stores. I have to add the TLS
root certificate of my 'personal little enterprise' to the system provided root
store. It is a little bit of extra work, but still no problem.

Now, my concern is that if 'private' TLS root certificates have to be added in
multiple places, it might make the case for not bothering and rely on the
'--no-verify-ssl' options (and equivalents) out there. It unnecessarily raises
the bar on both complexity and effort to use TLS and as such, undermines the
maximum possible speed in which TLS is being used by everybody.

Last but not least, I must admit that I know nothing about Python really and I
don't know the magnitude of implications involved to make such change.
Regardless, I will be happy to help where I can. Please put me in the direction
of tasks to be done and I will try my best.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Received on Mon May 24 2021 - 07:59:10 UTC

Original text of this message