classification
Title: Python to use Windows Certificate Store
Type: behavior Stage: resolved
Components: SSL Versions: Python 3.5
process
Status: closed Resolution: third party
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: Jean-Philippe Landry, christian.heimes
Priority: normal Keywords:

Created on 2016-10-28 12:57 by Jean-Philippe Landry, last changed 2018-05-24 14:03 by Jean-Philippe Landry. This issue is now closed.

Messages (2)
msg279602 - (view) Author: Jean-Philippe Landry (Jean-Philippe Landry) Date: 2016-10-28 12:57
Hello,

Would it be possible for Python to use the Certificate Store in windows instead of a predetermined list of certificates. The use case is as follows:

Multiple machines being on a corporate network where there is a man in the middle packet inspection (IT security stuff...) that will resign most of the SSL connections with its own certificate that is unfortunately not part of the python default store. There are also multiple behind the firewall servers using self signed certificates. That means that almost all SSL requests, including pip install will throw the famous [SSL: CERTIFICATE_VERIFY_FAILED] error.

This is transparent in Chrome because Chrome is using the Windows store to determine if a certificate is trusted or not and all those custom certificates are in the windows store.

However, Python uses its own file (list of approved certificates). I understand that this can be overridden using a custom, manually managed, crt file and set it into the environment variables (REQUESTS_CA_BUNDLE) and it works. However, this involves manual operation and undesired maintenance when a new certificate will be added to the store. The windows store itself gets updated periodically by IT so it is a not an issue.

Is there a rationale behind using a specific file instead of the windows store which will work for Chrome, IE, etc...

Best regards,

Jean-Philippe
msg279603 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-10-28 13:01
Python's ssl library has used Windows' cert store since 3.4 / 2.7.9. Some third party applications like requests or pip rather use their own cert store instead. This decision is beyond control of Python.

https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_default_certs
https://docs.python.org/3/library/ssl.html#ssl.enum_certificates
History
Date User Action Args
2018-05-24 14:03:30Jean-Philippe Landrysetstatus: open -> closed
resolution: third party
stage: resolved
2016-10-28 13:01:09christian.heimessetmessages: + msg279603
2016-10-28 12:57:15Jean-Philippe Landrycreate