[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

[pukkandan]

pukkandan  added the comment:

> A workaround for Python would require a major rewrite of the Windows CA store 
> integration. We don't have any capacity to work on that area

In theory, the issue can be worked around by simply loading each certificate 
separately. See 
https://github.com/yt-dlp/yt-dlp/pull/1118/commits/599ca418ac75ab1c0baf97f184f32ac48aa759ed

--
nosy: +pukkandan

___
Python tracker 
<https://bugs.python.org/issue35665>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

[pukkandan]

pukkandan  added the comment:

Also, the pictures uploaded by the OP are misleading since they are from a 
version of the code that was specifically intended for debugging the issue. the 
problem can be better seen in this comment 
https://github.com/yt-dlp/yt-dlp/issues/1060#issuecomment-925843378

```py
C:\Windows\system32>py
Python 3.9.7 (tags/v3.9.7:1016ef3, Aug 30 2021, 20:19:38) [MSC v.1929 64 bit 
(AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> len(ssl.enum_certificates('ROOT'))
68
>>> len(ssl.enum_certificates('CA'))
39
>>> ssl.create_default_context()
Traceback (most recent call last):
  File "", line 1, in 
  File "C:\Program Files\Python39\lib\ssl.py", line 750, in 
create_default_context
context.load_default_certs(purpose)
  File "C:\Program Files\Python39\lib\ssl.py", line 574, in load_default_certs
self._load_windows_store_certs(storename, purpose)
  File "C:\Program Files\Python39\lib\ssl.py", line 566, in 
_load_windows_store_certs
self.load_verify_locations(cadata=certs)
ssl.SSLError: not enough data: cadata does not contain a certificate 
(_ssl.c:4159)
>>> exit()
```

--

___
Python tracker 
<https://bugs.python.org/issue45312>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

[pukkandan]

pukkandan  added the comment:

Hi,

I am the maintainer of the above mentioned project. I was planning to implement 
a patch for this. But I asked OP to report the issue here anyway since I do not 
believe this is the intended behavior. 

For context, the issue is occurring when using the `ssl.create_default_context` 
function and not by manually adding the verify flag. For this, the default (in 
my opinion) should be to ignore any invalid certificates. Even the comment in 
the relevent code 
(https://github.com/python/cpython/blob/84975146a7ce64f1d50dcec8311b7f7188a5c962/Lib/ssl.py#L772-L774)
 seem to agree with my sentiment. 

I ask that you please reconsider your stance on this issue. Thanks

--
nosy: +pukkandan

___
Python tracker 
<https://bugs.python.org/issue45312>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com