py25-m2crypto / openssl / root certs and CAs on OSX

Thomas Keller tommyd at
Fri Dec 11 16:21:12 PST 2009

Hash: SHA1


I'm currently trying to get a python-based cli client running which
bases its ssl implementation on py25-m2crypto.

The latter package has a load_verify_locations() method in
SSL/ which takes either a single pem / root cert or a
directory of certs. The aforementioned cli client now tries to guess
these verify locations by checking for the existence of either
/etc/ssl/certs or /etc/pki/tls/cert.pem, which of course both do not
exist on OSX.

What I've found out on the whole root cert topic (I'm pretty new to
this) is that OSX stores the root certs in proprietary binary keychain
file(s) under /System/Library/Keychains, which py25-m2crypto can't
handle. So the question arises how py25-m2crypto could either be made to
accept this keychain format or how this has been handled for other ports
/ parts in MacPorts. (I guess internally py25-m2crypto also only uses
openssl somehow and I hope there is already a solution for this.)

Patching the load_verify_locations() step out of the cli clients code
will work temporarily, until of course I get an openssl prompt which
asks me if I want to accept the (for openssl) unknown, but valid remote
site certificate for which it misses a root cert...

Any hints?

Thanks in advance,

- -- 
GPG-Key 0x160D1092 | tommyd3mdi at |
Please note that according to the EU law on data retention, information
on every electronic information exchange might be retained for a period
of six months or longer:
Version: GnuPG v1.4.10 (Darwin)
Comment: Using GnuPG with Mozilla -


More information about the macports-dev mailing list