gh-79846: Make ssl.create_default_context() ignore invalid certificates (GH-91740)

An error in one certificate should not cause the whole thing to fail.

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
This commit is contained in:
pukkandan 2024-08-07 14:00:30 +05:30 committed by GitHub
parent b6c80e21c7
commit 9e551f9b35
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 6 additions and 5 deletions

View File

@ -513,18 +513,17 @@ class SSLContext(_SSLContext):
self._set_alpn_protocols(protos)
def _load_windows_store_certs(self, storename, purpose):
certs = bytearray()
try:
for cert, encoding, trust in enum_certificates(storename):
# CA certs are never PKCS#7 encoded
if encoding == "x509_asn":
if trust is True or purpose.oid in trust:
certs.extend(cert)
try:
self.load_verify_locations(cadata=cert)
except SSLError as exc:
warnings.warn(f"Bad certificate in Windows certificate store: {exc!s}")
except PermissionError:
warnings.warn("unable to enumerate Windows certificate store")
if certs:
self.load_verify_locations(cadata=certs)
return certs
def load_default_certs(self, purpose=Purpose.SERVER_AUTH):
if not isinstance(purpose, _ASN1Object):

View File

@ -0,0 +1,2 @@
Makes :code:`ssl.create_default_context()` ignore invalid certificates in
the Windows certificate store