a provided "trust_list_path" only gets applied on windows and mac, while on
other platforms trusted certificates are (only) loaded from the system default
via SSL_CTX_set_default_verify_paths(ssl_ctx) .
Later on, "extra_trust_roots" can be added, but this won't
override/replace/forget already loaded certificates from the system default.
To be able to ignore/tighten the systems trust settings without fiddling with
the environment, I tried to use the "trust_list_path" feature
for openssl on linux the same way it seems to be already possible
on windows and mac, with patch @
As I read
https://github.com/wbond/oscrypto/blob/66ba999b66c152410af08b90ef77bc47b235f098/oscrypto/_openssl/tls.py#L192 to https://github.com/wbond/oscrypto/blob/66ba999b66c152410af08b90ef77bc47b235f098/oscrypto/_openssl/tls.py#L208
a provided "trust_list_path" only gets applied on windows and mac, while on other platforms trusted certificates are (only) loaded from the system default via SSL_CTX_set_default_verify_paths(ssl_ctx) .
Later on, "extra_trust_roots" can be added, but this won't override/replace/forget already loaded certificates from the system default.
According to https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_default_verify_paths.html this result might be influenced by setting environment variables.
To be able to ignore/tighten the systems trust settings without fiddling with the environment, I tried to use the "trust_list_path" feature for openssl on linux the same way it seems to be already possible on windows and mac, with patch @
https://build.opensuse.org/package/view_file/home:cunix:pythondevel/python-oscrypto/allow_setting_path_to_trusted_certificates.patch
Is my described understanding correct?
If yes, is there a reason why "trust_list_path" should have an effect on some platforms, but not on others?
If the second answer is "no", might upstream be interested in taking this patch or something similar?