From d2770a27ed20083245cc38fa977be3f8841067dc Mon Sep 17 00:00:00 2001 From: pukkandan Date: Wed, 20 Apr 2022 17:32:26 +0530 Subject: [PATCH 1/3] [ssl] Load CA certificates one by one An error in one certificate should not cause the whole thing to crash Fixes https://github.com/python/cpython/issues/79846, https://github.com/python/cpython/issues/89475 --- Lib/ssl.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/Lib/ssl.py b/Lib/ssl.py index dafb70a67864c4..01f47102894558 100644 --- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -577,14 +577,17 @@ def _load_windows_store_certs(self, storename, purpose): certs = bytearray() try: for cert, encoding, trust in enum_certificates(storename): - # CA certs are never PKCS#7 encoded - if encoding == "x509_asn": - if trust is True or purpose.oid in trust: - certs.extend(cert) + try: + self.load_verify_locations(cadata=cert) + except SSLError: + warnings.warn("Bad certificiate in Windows certificate store") + else: + # CA certs are never PKCS#7 encoded + if encoding == "x509_asn": + if trust is True or purpose.oid in trust: + certs.extend(cert) except PermissionError: warnings.warn("unable to enumerate Windows certificate store") - if certs: - self.load_verify_locations(cadata=certs) return certs def load_default_certs(self, purpose=Purpose.SERVER_AUTH): From 3411826e649ff68365bf8e887978f0c75718f661 Mon Sep 17 00:00:00 2001 From: pukkandan Date: Wed, 20 Apr 2022 18:34:50 +0530 Subject: [PATCH 2/3] Add NEWS entry --- .../next/Windows/2022-04-20-18-32-30.gh-issue-79846.Vggv3f.rst | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 Misc/NEWS.d/next/Windows/2022-04-20-18-32-30.gh-issue-79846.Vggv3f.rst diff --git a/Misc/NEWS.d/next/Windows/2022-04-20-18-32-30.gh-issue-79846.Vggv3f.rst b/Misc/NEWS.d/next/Windows/2022-04-20-18-32-30.gh-issue-79846.Vggv3f.rst new file mode 100644 index 00000000000000..82c26701e0e0bc --- /dev/null +++ b/Misc/NEWS.d/next/Windows/2022-04-20-18-32-30.gh-issue-79846.Vggv3f.rst @@ -0,0 +1,2 @@ +Makes :code:`ssl.create_default_context()` ignore invalid certificates in +the Windows certificate store From 9d31e3a64d7ef68016a768022434d3db3c6cc1f4 Mon Sep 17 00:00:00 2001 From: Serhiy Storchaka Date: Mon, 29 Jul 2024 22:19:42 +0300 Subject: [PATCH 3/3] Load only certificates that have correct encoding and purpose. --- Lib/ssl.py | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/Lib/ssl.py b/Lib/ssl.py index 38dc4f3b02ddf8..a3ecf5380e4e30 100644 --- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -513,21 +513,17 @@ def set_alpn_protocols(self, alpn_protocols): self._set_alpn_protocols(protos) def _load_windows_store_certs(self, storename, purpose): - certs = bytearray() try: for cert, encoding, trust in enum_certificates(storename): - try: - self.load_verify_locations(cadata=cert) - except SSLError: - warnings.warn("Bad certificiate in Windows certificate store") - else: - # CA certs are never PKCS#7 encoded - if encoding == "x509_asn": - if trust is True or purpose.oid in trust: - certs.extend(cert) + # CA certs are never PKCS#7 encoded + if encoding == "x509_asn": + if trust is True or purpose.oid in trust: + try: + self.load_verify_locations(cadata=cert) + except SSLError as exc: + warnings.warn(f"Bad certificate in Windows certificate store: {exc!s}") except PermissionError: warnings.warn("unable to enumerate Windows certificate store") - return certs def load_default_certs(self, purpose=Purpose.SERVER_AUTH): if not isinstance(purpose, _ASN1Object):