From owner-freebsd-python@FreeBSD.ORG Fri Jan 2 07:10:30 2015 Return-Path: Delivered-To: freebsd-python@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D5DA17B4 for ; Fri, 2 Jan 2015 07:10:30 +0000 (UTC) Received: from mail-pa0-x233.google.com (mail-pa0-x233.google.com [IPv6:2607:f8b0:400e:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9D5311055 for ; Fri, 2 Jan 2015 07:10:30 +0000 (UTC) Received: by mail-pa0-f51.google.com with SMTP id ey11so23729223pad.38 for ; Thu, 01 Jan 2015 23:10:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=a5Tf+4e9J+MYh6BrDePNuRt7SjQ1zbEj4C2bx1wel6I=; b=sf6K0sbflXtJqnp8pBCrJ1kYQkcKwh+mxymlTW+oC6H8u4QgTcJk/C++0J8a3sWHly 90mwK0B3W5y6x/0Dv9WVGiTKwXEekBxx4C9TFr5O0BsBOqrc0VwcD8AeEt+pfEGHmRuJ at8G6+PK7sEoG695TCX5+un2Jpv8HLPD+3Z5QEHnlitsmMsB28YMSBbZVWNt4qSqhxlN Y29LaS8lVpR8EY3k+l2ttkJVohLCCJJ+QI/4mbPWPsL4Ve7VGwJPCWBQEW5jjvawGPOH oWv68Oqf9QxzmuLvqhdiGWZCFgG368DUVbKSDLJ727DMcOoYun1Z8k0vC7tj4+IBv94+ jC4w== X-Received: by 10.70.54.37 with SMTP id g5mr121447949pdp.71.1420182630203; Thu, 01 Jan 2015 23:10:30 -0800 (PST) Received: from [192.168.1.109] (ppp59-167-128-11.static.internode.on.net. [59.167.128.11]) by mx.google.com with ESMTPSA id do3sm45984727pac.48.2015.01.01.23.10.28 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 01 Jan 2015 23:10:29 -0800 (PST) Sender: Kubilay Kocak Message-ID: <54A64453.8090709@FreeBSD.org> Date: Fri, 02 Jan 2015 18:10:11 +1100 From: Kubilay Kocak Reply-To: koobs@FreeBSD.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Thunderbird/34.0 MIME-Version: 1.0 To: possnfiffer , freebsd-python@freebsd.org Subject: Re: Python 2.7.9 looks for SSL certificates in /etc/ssl instead of /usr/local/etc/ssl References: <54A0E85A.4030404@FreeBSD.org> <1420081132262-5977381.post@n5.nabble.com> <54A4C188.5080702@freebsd.org> <1420104175270-5977422.post@n5.nabble.com> In-Reply-To: <1420104175270-5977422.post@n5.nabble.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-python@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: FreeBSD-specific Python issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jan 2015 07:10:30 -0000 On 1/01/2015 8:22 PM, possnfiffer wrote: > I run FreeBSD 10.1-RELEASE x86_64. The last two updates for python2.7_2.2 I > saw were Dec 22nd and Oct 10 (I believe) the Dec update is where I started > having issues with my SABnzbdplus and SickBeard python scripts. > > I wrote the following in hopes that readers searching for a fix to https not > loading with your FreeBSD python scripts, like I was, will find the > following useful to get their systems in working order. > > Yo, > The latest version of python changed it's defaults and now it looks for CA > certificate in /etc/ssl/cert.pem > More precisely, Python uses OpenSSL's SSL_CTX_load_verify_locations function to find certificates. It does not maintain a list of locations internally. For FreeBSD's base OpenSSL, this is /etc/ssl/cert.pem For FreeBSD's Ports OpenSSL, this is /usr/local/openssl/cert.pem I have opened a new issue to address Python (and other software) using OpenSSL from Ports here that has more detail here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196431 Please add your +1 to it. Seriously. If you want to see Python (and other software) using OpenSSL from Base fixed, add your +1 to it, seriously: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=189811 The latter issue proposed to make the ETCSYMLINK option a default, so people using ports with default options, and those using packages can FINALLY get SSL certificate verification out of the box. ./koobs