Python 2.7.9 looks for SSL certificates in /etc/ssl instead of /usr/local/etc/ssl
Kubilay Kocak
koobs at FreeBSD.org
Fri Jan 2 07:10:30 UTC 2015
On 1/01/2015 8:22 PM, possnfiffer wrote:
> I run FreeBSD 10.1-RELEASE x86_64. The last two updates for python2.7_2.2 I
> saw were Dec 22nd and Oct 10 (I believe) the Dec update is where I started
> having issues with my SABnzbdplus and SickBeard python scripts.
>
> I wrote the following in hopes that readers searching for a fix to https not
> loading with your FreeBSD python scripts, like I was, will find the
> following useful to get their systems in working order.
>
> Yo,
> The latest version of python changed it's defaults and now it looks for CA
> certificate in /etc/ssl/cert.pem
>
More precisely, Python uses OpenSSL's SSL_CTX_load_verify_locations
function to find certificates. It does not maintain a list of locations
internally.
For FreeBSD's base OpenSSL, this is /etc/ssl/cert.pem
For FreeBSD's Ports OpenSSL, this is /usr/local/openssl/cert.pem
I have opened a new issue to address Python (and other software) using
OpenSSL from Ports here that has more detail here:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196431
Please add your +1 to it. Seriously.
If you want to see Python (and other software) using OpenSSL from Base
fixed, add your +1 to it, seriously:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=189811
The latter issue proposed to make the ETCSYMLINK option a default, so
people using ports with default options, and those using packages can
FINALLY get SSL certificate verification out of the box.
./koobs
More information about the freebsd-python
mailing list