Python 2.7.9 looks for SSL certificates in /etc/ssl instead of /usr/local/etc/ssl
Kubilay Kocak
koobs at FreeBSD.org
Mon Dec 29 05:36:41 UTC 2014
On 29/12/2014 4:18 PM, James D. Lin wrote:
> Hello,
>
> I recently upgraded to Python 2.7.9 from the ports collection on my FreeBSD
> 10.0 system, and Python 2.7.9's change to enable SSL verification
> unexpectedly broke several of my Python scripts that made https connections
> to sites with valid SSL certificates. The reason is that Python is looking
> for the CA file at /etc/ssl/cert.pem, which does not exist in my FreeBSD
> installation. I do, however, have a /usr/local/etc/ssl/cert.pem file
> (which is actually a symlink to /usr/local/share/certs/ca-root-nss.crt):
> Calling ssl.get_default_verify_paths() in Python returns:
>
> DefaultVerifyPaths(cafile=None,
> capath=None,
> openssl_cafile_env='SSL_CERT_FILE',
> openssl_cafile='/etc/ssl/cert.pem',
> openssl_capath_env='SSL_CERT_DIR',
> openssl_capath='/etc/ssl/certs')
>
> Is this something that can (and should) be corrected in the Python 2.7.9
> port?
>
> Thanks,
>
> - James
James,
It's a bit of a spider web between base and ports openssl, along with
the ca_root_nss port, and various search path compatibility issues with
various consuming software (from ports).
What I can say is that *out of the box* (not base) support for SSL
certificate verification is important and we want to make it better, so
identifying the gaps is key.
You can see some more detail in the following issue, in which I also
mention Python move to verification by default:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=189811
If you have anything to add, please comment as user feedback is very
important.
The Python team is also available on IRC at #freebsd-python (freenode)
if you want to discuss anything further :)
Thanks!
koobs
More information about the freebsd-python
mailing list