PycURL currently (7.45.3) supplies natives builds that include libcurl. The implication is that the default CAINFO value comes from the system on which licurl was built. For Linux, it's currently /etc/pki/tls/certs/ca-bundle.crt from RedHat family of distros, in contrast to /etc/ssl/certs/ca-certificates.crt from the Debian family.
While curldl probably shouldn't employ CA bundle lookup on the filesystem and accept elaborate settings like curl, the documentation should explain possible issues and provide recipes for mitigating them:
- passing
curl_config_callback to curldl.Curldl with curl.setopt(pycurl.CAINFO, ".../ca-certificates.crt")
- using distribution-supplied PycURL — e.g.,
python3-pycurl
- installing a non-binary wheel that will use system libcurl:
pip3 install pycurl --no-binary pycurl
- creating a /etc/pki/tls/certs/ca-bundle.crt → /etc/ssl/certs/ca-certificates.crt symlink
- using conda, which bundles its own certificates — see
miniconda3/bin/curl-config --ca
PycURL currently (7.45.3) supplies natives builds that include libcurl. The implication is that the default CAINFO value comes from the system on which licurl was built. For Linux, it's currently /etc/pki/tls/certs/ca-bundle.crt from RedHat family of distros, in contrast to /etc/ssl/certs/ca-certificates.crt from the Debian family.
While curldl probably shouldn't employ CA bundle lookup on the filesystem and accept elaborate settings like curl, the documentation should explain possible issues and provide recipes for mitigating them:
curl_config_callbacktocurldl.Curldlwithcurl.setopt(pycurl.CAINFO, ".../ca-certificates.crt")python3-pycurlpip3 install pycurl --no-binary pycurlminiconda3/bin/curl-config --ca