On 21.09.2014 01:03, Nick Coghlan wrote: > We may also need some clarification from Ned regarding the status of > OpenSSL and the potential impact switching from dynamic linking to > static linking of OpenSSL may have in terms of the > "OPENSSL_X509_TEA_DISABLE" setting.
You may want to ask Hynek, too. He initially discovered the issue and made me aware how Apple is tying keychain into OpenSSL. You may find the code in: http://opensource.apple.com/source/OpenSSL098/OpenSSL098-35.1/src/crypto/x509/x509_vfy_apple.h http://opensource.apple.com/source/OpenSSL098/OpenSSL098-35.1/src/crypto/x509/x509_vfy_apple.c The TEA (Trust Evaluation Agent) switch is global and affects all SSL context instances. There is non canonical way to set the TEA flag for a single context or socket. /* -1: not set * 0: set to false * 1: set to true */ static tea_enabled = -1; void X509_TEA_set_state(int change) { tea_enabled = (change) ? 1 : 0; } int X509_TEA_is_enabled() { if (tea_enabled < 0) tea_enabled = (NULL == getenv(X509_TEA_ENV_DISABLE)); return tea_enabled != 0; } _______________________________________________ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com