0

I follow a tutorial written a Python ssl demo.

import ssl
import socket
HOSTNAME = "www.cloudflare.com"  

context = ssl.create_default_context()

context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
context.verify_mode = ssl.CERT_REQUIRED
context.check_hostname = True
#context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt")
conn = context.wrap_socket(socket.socket(socket.AF_INET), server_hostname=HOSTNAME)

conn.connect((HOSTNAME, 443))

# cert = conn.getpeercert()
#
# print(cert)

this line code I don't understand, what's the function?

context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt")

and I run it in my macOS, I don't know which path I can access the ca-bundle.crt, and don't know the ca-bundle.crt's function. Could you please help with these questions?

user7693832
  • 6,119
  • 19
  • 63
  • 114
  • It looks like that you [don't need it](https://stackoverflow.com/questions/24675167/ca-certificates-mac-os-x) - the default implementation loads system-wide root certificates. – Pak Uula Sep 08 '20 at 08:24
  • do you mean this line ` loads system-wide root certificates`? what's system-wide root certificate? – user7693832 Sep 08 '20 at 09:41

1 Answers1

2

Do you know how certificates are verified? If no you can start with the Wikipedia page about PKI.

In brief. Certificates are signed by the certificate authorities. We trust those authorities in that they check all the claims in the certificated requests. As a resut, if a site provides a certificate for stackoverflow.com and signed by the trusted CA then we believe it is really Stackoverflow.

The set of trusted authorities is small. Several dozens. Theyr public keys are distributed as certificates with operating systems, browsers, openssl distro. Those certificates are called root certificates.

The call context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt") loads the list of root certificates of the CAs, that openssl maintaners trust. That list of certificates is stored in the file /etc/ssl/certs/ca-bundle.crt.

But in MacOS this call is not needed. Default OpenSSL distro loads the CA certificates from the operating sysem. The certificate for cloudflare.com is issued by DigiCert. This is a reputable CA that all browsers and operating systems trust. Their certificate is stored in MacOS and is loaded in your process when you intialize the default context.

FYI. The constant ssl.PROTOCOL_SSLv23 is a misnomer and was deprecated since python 3.6. Use ssl.PROTOCOL_TLS instead.

Pak Uula
  • 2,750
  • 1
  • 8
  • 13