@@ -40,7 +40,7 @@ Certificate verification and OpenSSL
Python 2.7.9 includes a number of network security enhancements that have been approved for inclusion in Python 2.7 maintenance releases. PEP 476 changes several standard library modules, like httplib, urllib2, and xmlrpclib, to by default verify certificates presented by servers over secure (TLS) connections. The verification is performed by the OpenSSL libraries that Python is linked to. Prior to 2.7.9, the python.org installers dynamically linked with Apple-supplied OpenSSL libraries shipped with OS X. OS X provides a multiple level security framework that stores trust certificates in system and user keychains managed by the Keychain Access application and the security command line utility.
For OS X 10.5, Apple provides OpenSSL 0.9.7 libraries. This version of Apple's OpenSSL does not use the certificates from the system security framework, even when used on newer versions of OS X. Instead it consults a traditional OpenSSL concatenated certificate file (cafile) or certificate directory (capath), located in /System/Library/OpenSSL. These directories are typically empty and not managed by OS X; you must manage them yourself or supply your own SSL contexts. OpenSSL 0.9.7 is obsolete by current security standards, lacking a number of important features found in later versions. Among the problems this causes is the inability to verify higher-security certificates now used by python.org services, including the Python Package Index, PyPI. To solve this problem, as of 2.7.9 the 10.5+ 32-bit-only python.org variant is linked with a private copy of OpenSSL 1.0.1j; it consults the same default certificate directory, /System/Library/OpenSSL. As before, it is still necessary to manage certificates yourself when you use this Python variant and, with certification verification now enabled by default, you may now need to take additional steps to ensure your Python programs have access to CA certificates you trust. If you use this Python variant to build standalone applications with third-party tools like py2app, you may now need to bundle CA certificates in them or otherwise supply non-default SSL contexts.
For OS X 10.5, Apple provides OpenSSL 0.9.7 libraries. This version of Apple's OpenSSL does not use the certificates from the system security framework, even when used on newer versions of OS X. Instead it consults a traditional OpenSSL concatenated certificate file (cafile) or certificate directory (capath), located in /System/Library/OpenSSL. These directories are typically empty and not managed by OS X; you must manage them yourself or supply your own SSL contexts. OpenSSL 0.9.7 is obsolete by current security standards, lacking a number of important features found in later versions. Among the problems this causes is the inability to verify higher-security certificates now used by python.org services, including the Python Package Index, PyPI. To solve this problem, as of 2.7.9 the 10.5+ 32-bit-only python.org variant is linked with a private copy of OpenSSL 1.0.1j; it consults the same default certificate directory, /System/Library/OpenSSL. As before, it is still necessary to manage certificates yourself when you use this Python variant and, with certificate verification now enabled by default, you may now need to take additional steps to ensure your Python programs have access to CA certificates you trust. If you use this Python variant to build standalone applications with third-party tools like py2app, you may now need to bundle CA certificates in them or otherwise supply non-default SSL contexts.
For OS X 10.6+, Apple also provides OpenSSL 0.9.8 libraries. Apple's 0.9.8 version includes an important additional feature: if a certificate cannot be verified using the manually administered certificates in /System/Library/OpenSSL, the certificates managed by the system security framework In the user and system keychains are also consulted (using Apple private APIs). For this reason, for 2.7.9 the 64-bit/32-bit 10.6+ python.org variant continues to be dynamically linked with Apple's OpenSSL 0.9.8 since it was felt that the loss of the system-provided certificates and management tools outweighs the additional security features provided by newer versions of OpenSSL. This will likely change in future releases of the python.org installers as Apple has deprecated use of the system-supplied OpenSSL libraries. If you do need features from newer versions of OpenSSL, there are third-party OpenSSL wrapper packages available through PyPI.
\i0 ; it consults the same default certificate directory,
\f1 /System/Library/OpenSSL
\f0 . As before, it is still necessary to manage certificates yourself when you use this Python variant and, with certification verification now enabled by default, you may now need to take additional steps to ensure your Python programs have access to CA certificates you trust. If you use this Python variant to build standalone applications with third-party tools like {\field{\*\fldinst{HYPERLINK "https://pypi.python.org/pypi/py2app/"}}{\fldrslt
\f0 . As before, it is still necessary to manage certificates yourself when you use this Python variant and, with certificate verification now enabled by default, you may now need to take additional steps to ensure your Python programs have access to CA certificates you trust. If you use this Python variant to build standalone applications with third-party tools like {\field{\*\fldinst{HYPERLINK "https://pypi.python.org/pypi/py2app/"}}{\fldrslt
\f1 py2app}}, you may now need to bundle CA certificates in them or otherwise supply non-default SSL contexts.\