py25-m2crypto / openssl / root certs and CAs on OSX
Jeremy Lavergne
jeremy at lavergne.gotdns.org
Fri Dec 11 16:29:11 PST 2009
Load port:curl-ca-certificates
the cert will be in ${prefix}/share/curl/curl-ca-bundle.crt
On Dec 11, 2009, at 7:21 PM, Thomas Keller wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hi!
>
> I'm currently trying to get a python-based cli client running which
> bases its ssl implementation on py25-m2crypto.
>
> The latter package has a load_verify_locations() method in
> SSL/Context.py which takes either a single pem / root cert or a
> directory of certs. The aforementioned cli client now tries to guess
> these verify locations by checking for the existence of either
> /etc/ssl/certs or /etc/pki/tls/cert.pem, which of course both do not
> exist on OSX.
>
> What I've found out on the whole root cert topic (I'm pretty new to
> this) is that OSX stores the root certs in proprietary binary keychain
> file(s) under /System/Library/Keychains, which py25-m2crypto can't
> handle. So the question arises how py25-m2crypto could either be made to
> accept this keychain format or how this has been handled for other ports
> / parts in MacPorts. (I guess internally py25-m2crypto also only uses
> openssl somehow and I hope there is already a solution for this.)
>
> Patching the load_verify_locations() step out of the cli clients code
> will work temporarily, until of course I get an openssl prompt which
> asks me if I want to accept the (for openssl) unknown, but valid remote
> site certificate for which it misses a root cert...
>
> Any hints?
>
> Thanks in advance,
> Thomas.
>
> - --
> GPG-Key 0x160D1092 | tommyd3mdi at jabber.ccc.de | http://thomaskeller.biz
> Please note that according to the EU law on data retention, information
> on every electronic information exchange might be retained for a period
> of six months or longer: http://www.vorratsdatenspeicherung.de/?lang=en
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAksi4fgACgkQaf7NlBYNEJLl+QCdGItmij0LQnMgHy/XTqh4ToRS
> c28AniDdz+Dq12IRd5As/8e9FlGR94T/
> =cXqj
> -----END PGP SIGNATURE-----
> _______________________________________________
> macports-dev mailing list
> macports-dev at lists.macosforge.org
> http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2435 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/macports-dev/attachments/20091211/d945a30f/attachment-0001.bin>
More information about the macports-dev
mailing list