Cory Benfield
Cory Benfield
Debian's cert bundle is almost certainly like ubuntu's, which does not update to the Mozilla bundle that removed 1024-bit roots in order to avoid the pain like that which hit...
Note that that is already the API certitude provides.
> I think true native support (i.e.: mapping "is this certificate okay?" requests to OS APIs) would be preferable. That is very nearly impossible. The issue there is that there...
Ok, so let's think about this a different way slightly. Right now the discussion has focused on "where do we get the certificates", but that's not really a sufficiently detailed...
@glyph Certitude can get this right by ignoring what the distro OpenSSL tells us and doing what curl does instead, which is to hardcode the list of paths and walk...
Credit to @bagder for that approach, especially as I'm just going to steal it.
@shypike Let's clear some things up. =) Firstly, requests can and does verify certificates out of the box, and has been doing so for years: much longer than the standard...
@untitaker Yes, we can, and so I'm not worried about Linux. Linux is the easy case here. It's everything else that is tricky.
@shypike My psychic powers tell me that your OpenSSL is pretty old. Take a read through of the discussion on certifi/python-certifi#26.
@mwcampbell PyOpenSSL does _not_ support this, and never will, because PyOpenSSL is a thin wrapper library around OpenSSL, and so doesn't support the relevant APIs. However, I recently got merged...