[feature request] take back ssl binding "SSL_CTX_set_cert_store"

[SeaHOH]

I am using SSL_CTX_set_cert_store which allow me could maintain only one strore. This is very convenient and functional, but removed from v40. Please, could you take it back to new releases?

[reaperhulk]

Do you use this in conjunction with pyopenssl? If so, it would be desirable to add it as a feature there and use the binding from pyopenssl. That way we understand how it’s being used, can test for it, etc.

[SeaHOH]

@reaperhulk Yes, I use it with pyOpenSSL. And, you suggest me make a feature/pull request to pyOpenSSL project (not its dependency). Do I understand correct? If so, could you transport this issue to pyOpenSSL repository? I will change the title then.

[alex]

This is a multi-step process, so we'll need work on both sides: First we figure out what API pyOpenSSL should have. Then we add the binding here. Then we add that API to pyOpenSSL.

…

On Thu, Apr 6, 2023 at 7:36 AM SeaHOH ***@***.***> wrote: @reaperhulk Yes, I use it with pyOpenSSL. And, you suggestion me make a feature/pull request to pyOpenSSL project (not its dependency). Do I understand correct? If so, could you transport this issue to pyOpenSSL repository? I will change the title then. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

[SeaHOH]

This is a multi-step process, so we'll need work on both sides:
...

So, we donot need to transport this issue. OK, let's go on.

I think a context configurable cert store will be most useful. There is already SSL.Context.get_cert_store here, why not a SSL.Context.set_cert_store?

[mhils]

FWIW for @mitmproxy we're reusing one SSL.Context for all client connections. SSL.Connection nowadays has use_certificate and use_privatekey methods which make that possible. Not sure if that would be an alternative in your case. :)

[SeaHOH]

@mhils Thanks for your suggestion. But I think session reuse will not be work between different servers in your case.

BTW, SSL_session_reused has also be removed, but this is not so terrible.

[reaperhulk]

Having an SSL.Context.set_cert_store seems reasonable to me. Let's assume that's what we're going to do. Do you have time to implement that on the pyOpenSSL side? As Alex mentioned we need to add the binding here and then add the API in pyOpenSSL. Complicating matters a bit is that we also need to fix a pyOpenSSL test issue, but we can work around that during dev. We'll also have to have an extra branch in set_cert_store to handle the versions that don't bind this function until such time as we require >=40.0.3 (or whatever version we release the re-added binding in). This is being done in pyca/pyopenssl#1202 as well.

[SeaHOH]

Do you have time to implement that on the pyOpenSSL side?

Me? I can write the funticon code, but I am not good at English as you see, I cannot use accurate/seemly wording into the code comment. And I am not a programer, write unit tests is hard to me.

[reaperhulk]

The binding has been re-added in 40.0.2 and we'll do a pyopenssl release soon to add the new method.

[SeaHOH]

New releases of pyOpenSSL did not implemented SSL.Context.set_cert_store, so reopen.

[alex]

This issue tracks adding the appropriate binding, which is available in cryptography. Any work in pyopenssl needs to be tracked there.