Documente Academic
Documente Profesional
Documente Cultură
OpenSSL does not use the certificates from the system security framework, even when
used on newer versions of OS X. Instead it consults a traditional OpenSSL
concatenated certificate file (cafile) or certificate directory (capath), located in
/System/Library/OpenSSL. These directories are typically empty and not managed
by OS X; you must manage them yourself or supply your own SSL contexts. OpenSSL
0.9.7 is obsolete by current security standards, lacking a number of important features
found in later versions. Among the problems this causes is the inability to verify highersecurity certificates now used by python.org services, including the Python Package
Index, PyPI. To solve this problem, the 10.5+ 32-bit-only python.org variant is linked
with a private copy of OpenSSL 1.0.2; it consults the same default certificate directory,
/System/Library/OpenSSL. As before, it is still necessary to manage certificates
yourself when you use this Python variant and, with certificate verification now enabled
by default, you may now need to take additional steps to ensure your Python programs
have access to CA certificates you trust. If you use this Python variant to build
standalone applications with third-party tools like py2app, you may now need to bundle
CA certificates in them or otherwise supply non-default SSL contexts.
For OS X 10.6+, Apple also provides OpenSSL 0.9.8 libraries. Apple's 0.9.8 version
includes an important additional feature: if a certificate cannot be verified using the
manually administered certificates in /System/Library/OpenSSL, the certificates
managed by the system security framework In the user and system keychains are also
consulted (using Apple private APIs). For this reason, the 64-bit/32-bit 10.6+ python.org
variant continues to be dynamically linked with Apple's OpenSSL 0.9.8 since it was felt
that the loss of the system-provided certificates and management tools outweighs the
additional security features provided by newer versions of OpenSSL. This will likely
change in future releases of the python.org installers as Apple has deprecated use of
the system-supplied OpenSSL libraries. If you do need features from newer versions of
OpenSSL, there are third-party OpenSSL wrapper packages available through PyPI.
The bundled pip included with the Python 3.5 installers has its own default certificate
store for verifying download connections.
Other changes
For other changes in this release, see the What's new section in the Documentation Set
for this release and its Release Notes link at https://www.python.org/downloads/.