From nobody Mon May 24 07:59:10 2021 X-Original-To: python@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id D637B9E7321 for ; Mon, 24 May 2021 07:59:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FpV3L5bprz4pqQ for ; Mon, 24 May 2021 07:59:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A55D626A09 for ; Mon, 24 May 2021 07:59:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 14O7xAwo078332 for ; Mon, 24 May 2021 07:59:10 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 14O7xAAT078331 for python@FreeBSD.org; Mon, 24 May 2021 07:59:10 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: [Bug 251562] security/py-certifi: SSLError 'certificate verify failed' despite correct looking /etc/ssl/cert.pem Date: Mon, 24 May 2021 07:59:10 +0000 X-Bugzilla-Reason: AssignedTo CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: needs-patch, needs-qa X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: andreas.strauch@hotmail.com X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: python@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: FreeBSD-specific Python issues List-Archive: https://lists.freebsd.org/archives/freebsd-python List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-python@freebsd.org X-BeenThere: freebsd-python@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251562 --- Comment #3 from Andreas Strauch --- (In reply to Kubilay Kocak from comment #2) Yes, correct. IMHO it would be beneficial to have certifi use the system provided root store. For the sake of security, the main goal should be to encourage as much usage of TLS as possible. As an example: my actual use case is about using certbot. I have the 'py37-certbot' and 'py37-certbot-nginx' packages installed because I run my= own ACME server at home. Of course my own ACME server does not have a TLS certificate that could be found in official root stores. I have to add the = TLS root certificate of my 'personal little enterprise' to the system provided = root store. It is a little bit of extra work, but still no problem. Now, my concern is that if 'private' TLS root certificates have to be added= in multiple places, it might make the case for not bothering and rely on the '--no-verify-ssl' options (and equivalents) out there. It unnecessarily rai= ses the bar on both complexity and effort to use TLS and as such, undermines the maximum possible speed in which TLS is being used by everybody. Last but not least, I must admit that I know nothing about Python really an= d I don't know the magnitude of implications involved to make such change. Regardless, I will be happy to help where I can. Please put me in the direc= tion of tasks to be done and I will try my best. --=20 You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug.=