Talk:Features/SharedSystemCertificates

From FedoraProject

Revision as of 17:27, 10 April 2013 by Jpokorny (Talk | contribs)

Jump to: navigation, search

Python

Python uses OpenSSL but will only use the system certificates if explicitly told so. The path to the ca cert bundle must either be hardcoded in the app or configured. See for instance http://mercurial.selenic.com/wiki/CACertificates#Fedora.2FRHEL . That should be taken into consideration for this feature. But it is not obvious how.

The best and least intrusive solution might be to modify Python to always use the system certificates, especially when no certs has been specified. That is apparently what OS X do. Kiilerix (talk) 23:53, 23 January 2013 (UTC)

python-requests-0.14.1-1.fc17.noarch also includes /usr/lib/python2.7/site-packages/requests/cacert.pem . They should use the existing cert in /etc/pki . The guidelines should be updated to make it clear that other ca stores than the shared ones isn't ok. Kiilerix (talk) 15:04, 26 January 2013 (UTC)

Following a discussion with Kiilerix on IRC, i have added a warning to rpmlint ( in git only for now ) to output a message when a certificate is bundled ( for whatever reasons ). We found a few package that should be fixed ( gajim, linphone, pidgin, etc , just by using yum whatprovides '*.pem' ( Misc )


ldap

i applaud this effort. will it be possible to support storing the information in ldap (or ipa)?

Per-user overrides

For common non{root/daemon} use cases, it should IMHO be up to user whom to trust. Is this view supported and can user e.g., blacklist certificates trusted on global level? Jpokorny (talk) 17:27, 10 April 2013 (UTC)