From 8c01b3426860acd5252a644e222b1d0d1f4e118f Mon Sep 17 00:00:00 2001
From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
Date: Mon, 2 Sep 2024 12:53:59 +0200
Subject: [PATCH] [3.13] gh-79846: Make ssl.create_default_context() ignore
 invalid certificates (GH-91740) (#122768)

gh-79846: Make ssl.create_default_context() ignore invalid certificates (GH-91740)

An error in one certificate should not cause the whole thing to fail.

(cherry picked from commit 9e551f9b351440ebae79e07a02d0e4a1b61d139e)

Co-authored-by: pukkandan <pukkandan.ytdlp@gmail.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
---
 Lib/ssl.py                                               | 9 ++++-----
 .../2022-04-20-18-32-30.gh-issue-79846.Vggv3f.rst        | 2 ++
 2 files changed, 6 insertions(+), 5 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Windows/2022-04-20-18-32-30.gh-issue-79846.Vggv3f.rst

diff --git a/Lib/ssl.py b/Lib/ssl.py
index f248e1404ba..c8703b046cf 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -513,18 +513,17 @@ class SSLContext(_SSLContext):
         self._set_alpn_protocols(protos)
 
     def _load_windows_store_certs(self, storename, purpose):
-        certs = bytearray()
         try:
             for cert, encoding, trust in enum_certificates(storename):
                 # CA certs are never PKCS#7 encoded
                 if encoding == "x509_asn":
                     if trust is True or purpose.oid in trust:
-                        certs.extend(cert)
+                        try:
+                            self.load_verify_locations(cadata=cert)
+                        except SSLError as exc:
+                            warnings.warn(f"Bad certificate in Windows certificate store: {exc!s}")
         except PermissionError:
             warnings.warn("unable to enumerate Windows certificate store")
-        if certs:
-            self.load_verify_locations(cadata=certs)
-        return certs
 
     def load_default_certs(self, purpose=Purpose.SERVER_AUTH):
         if not isinstance(purpose, _ASN1Object):
diff --git a/Misc/NEWS.d/next/Windows/2022-04-20-18-32-30.gh-issue-79846.Vggv3f.rst b/Misc/NEWS.d/next/Windows/2022-04-20-18-32-30.gh-issue-79846.Vggv3f.rst
new file mode 100644
index 00000000000..82c26701e0e
--- /dev/null
+++ b/Misc/NEWS.d/next/Windows/2022-04-20-18-32-30.gh-issue-79846.Vggv3f.rst
@@ -0,0 +1,2 @@
+Makes :code:`ssl.create_default_context()` ignore invalid certificates in
+the Windows certificate store