[Bug 230414] security/py-certifi: add option to use certificate bundle from ca_root_nss
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Jun 10 15:47:10 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230414
--- Comment #12 from Michael Osipov <michael.osipov at siemens.com> ---
OK, let me share a bit differentiated view:
* The option needs to be just like for GSS-API:
GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT. Converted for this we'd have:
CERTS_BASE, CERTS_BUNDLED, CERTS_PORTS (ca_root_nss), CERTS_SSL (ssl.mk based)
* I assume that ca_root_nss will be removed at some point in time because
certctl(8) will be is available in 12.2-RELEASE (and hopefully in 11-STABLE)
and having NSS certs in base and via ports looks like maintenance overhead
* What should now be the default at least on 12? CERTS_BASE. Why? Because if
something depends on OpenSSL from base, it should also the certs from
/etc/ssl/certs. But it must obey ssl=... and point to that certs dir.
If Python would have its own TLS implemenation like Java, I would be OK with
having a bundled certs store.
>From a pkg user's POV, it should work consistently because I cannot change it,
i.e., add certs or block certs to certifi while I can with certctl(8).
WDYT?
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-python
mailing list