[oe] SSL Certificate Path for Python

Ash Charles ashcharles at gmail.com
Wed Jul 8 00:37:25 UTC 2015 

Hi,

I did a little more digging---the issue is not so much related to
python as it is a difference in configuration between the
ca-certificates and openssl packages.

SSL certificates provided by the ca-certificates package are installed
to /usr/share/ca-certificates/mozilla and then symlinked to the
standard /etc/ssl/certs (controlled by ETCCERTSDIR) as a post-install.

OpenSSL gets built expecting that certificates will be stored at
/usr/lib/ssl/certs (check the 'openssldir' compiled in using 'openssl
version -d')---a standard but empty directory.  This means we get
verification failures for anything using openssl that doesn't
explicitly provide a set of valid certificates.  In my case, this is
breaking the Smart package manager when using a repository at a
'https' URL (the certificate is valid).

Debian solves this by symlinking the whole /usr/lib/ssl to /etc/ssl/
as a postinstall step on the openssl package.  I added this in a
similar fashion in a bbappend for testing:
do_install_append() {
    rm -r ${D}${libdir}/ssl/certs
    ln -sf /etc/ssl/certs ${D}${libdir}/ssl/certs
}

Does this seem like a reasonable approach?  Another approach could be
setting the SSL_CERT_DIR to /etc/ssl/certs in .profile (or similar).

--Ash

On Mon, Jul 6, 2015 at 5:16 PM, Ash Charles <ashcharles at gmail.com> wrote:
> Hi,
>
> With the move from python 2.7.3 (dizzy) to 2.7.9 (fido), Python
> actually validates SSL-transport for https URLs [1].  Python, by
> default (i.e. no environment variable SSL_CERT_DIR set), looks for
> certificates at '/usr/lib/ssl/certs'.  I tested this in a Python
> shell:
> import ssl
> ssl.get_default_verify_paths()
>
> The ca-certificates recipe seems to be installing certificates to
> ${D}${sysconfdir}/ssl/certs or /usr/share/ca-certificates/mozilla/
> instead.  I think that Python will need a way to find the system's
> certificates.  I can create a patch to do this but this seems to
> couple the configuration in the ca-certificates and python recipes.
>
> Has anyone stumbled across this issue?  Is there a standard way of
> looking up where a system is storing its certificates?
>
> [1] https://www.python.org/dev/peps/pep-0476/
>
> Thanks for any insights---I'm learning much more about SSL
> certificates than I expected today ;-).
>
> --Ash

More information about the Openembedded-devel mailing list