Re: [pyOpenSSL] Problem with pyOpenSSL 0.10 and OpenSSL 0.9.8m

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On 08:55 pm, ma...@eg... wrote:
>
>Thanks for the hint. Here's the full background:
>
>http://www.madboa.com/geek/openssl/#verify-system

Awesome link, thanks for finding it.
>Different OSes place the trusted certificate database files in
>different places and non of them uses the OpenSSL default which
>is /usr/local/ssl and a subdir certs/.

The version of OpenSSL distributed by Ubuntu and Debian and by Apple in 
OS X 10.6 don't use the default, but the build configuration is 
correctly specified so that OpenSSL can find the certificates in the 
non-default location.

In a perfect world, this is how it would be on all platforms. :)
>
>The only way to work around this appears to be to call
>ctx.load_verify_locations() to point the context to the
>right set of trusted certificates.
>
>I believe that the test should apply such a setup for
>the verisign.com certificate authority instead of
>relying on a platform provided default setup, ie. use
>its own certs/ subdir with the root CA certificates that
>are used by verisign.com.

The test in question is for ctx.set_default_verify_paths.  It does seem 
very likely that calling ctx.load_verify_locations with a path known to 
contain the necessary CA certificate would make the test pass, but then 
it would be testing something else. :)

I'll definitely agree that this is not a very good unit test, for a 
number of reasons.
>
>In any case, the above test failure is a problem with the test
>setup more than anything else.

I agree.  I think it might make sense to try to determine if the libssl 
being used was built in a way that could allow the necessary CA cert to 
be found, and skip the test if it was not.  Running "openssl version -d" 
and checking what's in that directory might be a good heuristic.
>
>Here's a version of the test which works on OpenSUSE:
>
>[snip]

Any chance you could agitate to have the OpenSUSE build fixed so that 
ctx.set_default_verify_paths can actually work? :)

If all the major platforms had a properly built version of OpenSSL, I 
think it'd be a lot easier for people to write well-behaved SSL 
applications.

Jean-Paul