subject:"\[issue45312\] \"MUPCA Root\" Certificates \- treated as invalid and cause error, but are walid and necessary"

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

2021-09-28 Thread Steve Dower



Steve Dower  added the comment:

Looks like you should take the discussion to issue35665, and this one can stay 
closed.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

2021-09-28 Thread Christian Heimes



Change by Christian Heimes :


--
assignee: christian.heimes -> 
nosy:  -christian.heimes

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

2021-09-28 Thread Pedjas



Pedjas  added the comment:

This hurts number of Python applications, even those published by large 
players. Basically, any attempt to read any certificate (for example to load 
any https url) fails due to this issue.

For example:

- QGIS fails to load map tiles on https links. Python issue with certificates.

- AutoDesk Fusion 360 cannot be installed. On install, it requires online 
activation. Activation is done using https link. That does not work as Python 
fails on certificates.

And that is a bug of Python. If you check code that causes this issue you will 
notice problem in code.

1.  When some certificate is needed Python loops and tries to load each and 
every certificate installed instead of loading only certificate that is 
actually needed and skip others.

2. No exception handling. When trying to load "bad" certificate, Python just 
crashes instead of graciously handle (skip) issue.

This problem occurs only with Python. No other application has such issue when 
handling certificates. MUPCA certificate works fine with every other 
application.

This issue can be easily solved with one simple if and one simple exception 
handler: loop through certificate. Only if certificate is the one needed try to 
load it. Enclose loading code within exception, if it fails, report descriptive 
error, and skip further. Do not allow Python to crash.

--
nosy: +Pedjas

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

2021-09-28 Thread Christian Heimes



Change by Christian Heimes :


--
dependencies: +Function ssl.create_default_context raises exception on Windows 
10  when called with  ssl.Purpose.SERVER_AUTH) attribute
superseder:  -> Function ssl.create_default_context raises exception on Windows 
10  when called with  ssl.Purpose.SERVER_AUTH) attribute

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

2021-09-28 Thread pukkandan



pukkandan  added the comment:

Also, the pictures uploaded by the OP are misleading since they are from a 
version of the code that was specifically intended for debugging the issue. the 
problem can be better seen in this comment 
https://github.com/yt-dlp/yt-dlp/issues/1060#issuecomment-925843378

```py
C:\Windows\system32>py
Python 3.9.7 (tags/v3.9.7:1016ef3, Aug 30 2021, 20:19:38) [MSC v.1929 64 bit 
(AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> len(ssl.enum_certificates('ROOT'))
68
>>> len(ssl.enum_certificates('CA'))
39
>>> ssl.create_default_context()
Traceback (most recent call last):
  File "", line 1, in 
  File "C:\Program Files\Python39\lib\ssl.py", line 750, in 
create_default_context
context.load_default_certs(purpose)
  File "C:\Program Files\Python39\lib\ssl.py", line 574, in load_default_certs
self._load_windows_store_certs(storename, purpose)
  File "C:\Program Files\Python39\lib\ssl.py", line 566, in 
_load_windows_store_certs
self.load_verify_locations(cadata=certs)
ssl.SSLError: not enough data: cadata does not contain a certificate 
(_ssl.c:4159)
>>> exit()
```

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

2021-09-28 Thread Steve Dower



Steve Dower  added the comment:

Adding Christian, as he's our expert in this area, and was also driving the 
other bug.

--
assignee:  -> christian.heimes
components: +SSL
nosy: +christian.heimes

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

2021-09-28 Thread pukkandan



pukkandan  added the comment:

Hi,

I am the maintainer of the above mentioned project. I was planning to implement 
a patch for this. But I asked OP to report the issue here anyway since I do not 
believe this is the intended behavior. 

For context, the issue is occurring when using the `ssl.create_default_context` 
function and not by manually adding the verify flag. For this, the default (in 
my opinion) should be to ignore any invalid certificates. Even the comment in 
the relevent code 
(https://github.com/python/cpython/blob/84975146a7ce64f1d50dcec8311b7f7188a5c962/Lib/ssl.py#L772-L774)
 seem to agree with my sentiment. 

I ask that you please reconsider your stance on this issue. Thanks

--
nosy: +pukkandan

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

2021-09-28 Thread Steve Dower



Steve Dower  added the comment:

Python doesn't include any trusted certificates - it reads them from the 
operating system. So you'll need to get the operating system vendors to include 
it if you want it to be trusted by default.

Additionally, some libraries include a copy of Mozilla's bundle (usually via 
the certifi package) and override the operating system. You'd need them to also 
include it.

--
resolution: remind -> third party

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

2021-09-28 Thread Dimitrije Milović


Dimitrije Milović  added the comment:

OK, will let the yt-dlp author pukkandan on GitHub know.
Thanks for the quick answer.

The only downside in this will be that this will have to be donne for many 
programs and scripts in the future; and for more and more persons (using our ID 
certificate will be only more preponderant as time passes).
So is it impossible to just somehow circumvent or add as exclusions those 
certificates? I could send them all to you..?

--
resolution: third party -> remind

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

2021-09-28 Thread Steve Dower



Steve Dower  added the comment:

This needs to be a feature request against the script that you're running. They 
have the option of not verifying TLS certificates if they choose not to, but 
they are explicitly enabling the checks right now.

We can't add a command line option to disable it for them. You'll need to find 
the place where they work and request it there.

--
resolution:  -> third party
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

2021-09-28 Thread Dimitrije Milović


Change by Dimitrije Milović :


Added file: 
https://bugs.python.org/file50314/135087546-e6fd1b05-6858-4e0f-ad3f-857c614bb15b.png

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

2021-09-28 Thread Dimitrije Milović


Change by Dimitrije Milović :


Added file: 
https://bugs.python.org/file50313/135081521-83d466d9-c71d-465c-96a2-652c2549c461.png

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

2021-09-28 Thread Dimitrije Milović


New submission from Dimitrije Milović :

I just commented to the issue here 
https://bugs.python.org/issue35665?@ok_message=issue%2035665%20files%20edited%20ok&@template=item,
 but noticed "closed" so better start a new one issue, and to further update 
the importance of those certificates...

I came to this issue (still persistent with all python versions since 3.6) 
while using yt-dlp: https://github.com/yt-dlp/yt-dlp/issues/1060

I obviously have the SAME problem than the guys in your link since I am from 
Serbia too, and those certificates "MUPCA Root" are (unfortunately-badly 
executed) crucial (issued by the ministry of interior - police ) ones to be 
able too read ID cards and use personal signing certificates, and they're are 
all valid...
So the option to remove the faulty certificates, is a no go to me (or anyone in 
Serbia using their ID card - individuals, companies and entrepreneurs like 
me)...

Please help!

--
components: Windows
files: Untitled.png
messages: 402784
nosy: MDM-1, paul.moore, steve.dower, tim.golden, zach.ware
priority: normal
severity: normal
status: open
title: "MUPCA Root" Certificates - treated as invalid and cause error, but are 
walid and necessary
type: crash
versions: Python 3.9
Added file: https://bugs.python.org/file50312/Untitled.png

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

[issue45312] "MUPCA Root" Certificates - treated as invalid and cause error, but are walid and necessary

13 matches

Site Navigation

Mail list logo

Footer information