mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-09-27 02:39:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 13

Issue #21043: Remove the recommendation for specific CA organizations

Browse source 
Closes #21043 by updating the documentation to remove specific CA
organizations and update the text to no longer need to tell you to
download root certificates, but instead use the OS certificates
avaialble through SSLContext.load_default_certs.
This commit is contained in:
Donald Stufft 2014-03-24 19:26:03 -04:00
parent d9a7352348
commit 4137465bf5
2 changed files with 6 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

17
Doc/library/ssl.rst
View file

@ -1339,20 +1339,9 @@ If you are going to require validation of the other side of the connection's
certificate, you need to provide a "CA certs" file, filled with the certificate certificate, you need to provide a "CA certs" file, filled with the certificate
chains for each issuer you are willing to trust. Again, this file just contains chains for each issuer you are willing to trust. Again, this file just contains
these chains concatenated together. For validation, Python will use the first these chains concatenated together. For validation, Python will use the first
chain it finds in the file which matches. Some "standard" root certificates are chain it finds in the file which matches. The platform's certificates file can
available from various certification authorities: `CACert.org be used by calling :meth:`SSLContext.load_default_certs`, this is done
<http://www.cacert.org/index.php?id=3>`_, `Thawte automatically with :func:`.create_default_context`.
<http://www.thawte.com/roots/>`_, `Verisign
<http://www.verisign.com/support/roots.html>`_, `Positive SSL
<http://www.PositiveSSL.com/ssl-certificate-support/cert_installation/UTN-USERFirst-Hardware.crt>`_
(used by python.org), `Equifax and GeoTrust
<http://www.geotrust.com/resources/root_certificates/index.asp>`_.
In general, if you are using SSL3 or TLS1, you don't need to put the full chain
in your "CA certs" file; you only need the root certificates, and the remote
peer is supposed to furnish the other certificates necessary to chain from its
certificate to a root certificate. See :rfc:`4158` for more discussion of the
way in which certification chains can be built.
Combined key and certificate Combined key and certificate
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

3
Misc/NEWS
View file

@ -79,6 +79,9 @@ Library
Documentation Documentation
------------- -------------
- Issue #21043: Remove the recommendation for specific CA organizations and to
mention the ability to load the OS certificates.
- Issue #20765: Add missing documentation for PurePath.with_name() and - Issue #20765: Add missing documentation for PurePath.with_name() and
PurePath.with_suffix(). PurePath.with_suffix().