classification
Title: Certificate added to Win Store not available
Type: behavior Stage: resolved
Components: SSL, Windows Versions: Python 3.7
process
Status: closed Resolution: duplicate
Dependencies: Superseder: ssl.enum_certificates() regression
View: 35941
Assigned To: christian.heimes Nosy List: christian-intra2net, christian.heimes, paul.moore, steve.dower, tim.golden, zach.ware
Priority: normal Keywords:

Created on 2019-03-18 11:40 by christian-intra2net, last changed 2019-03-21 16:27 by christian-intra2net. This issue is now closed.

Files
File name Uploaded Description Edit
list_cas.py christian-intra2net, 2019-03-19 08:53 Sample program listing certificates and trying to connect to socket
python-cert-problem.zip christian-intra2net, 2019-03-19 08:58 Zip-Archive with certificates and screenshots
Messages (6)
msg338198 - (view) Author: Christian Herdtweck (christian-intra2net) Date: 2019-03-18 11:40
I have created a self-signed certificate as my fake CA, used it to sign the certificate of my test server. I added the fake CA to the client (Windows 7) certificate store (System settings > Internet Settings > Content > Certificates), imported it there first only to "trusted root certificate authorities (translating from German "Vertrauenswürdige Stammzertifizierungsstellen" here), after failed tests to all tabs (including "own certificates", "intermediate certification authorities", but not the the "non-trusted issuers").

I can see my fake ca certificate in the lists in the windows settings, but querying the windows CA store through python (version 3.7), either through ssl.create_default_context().get_ca_certs() or ssl.enum_certificates(store) for store in ("CA", "ROOT", "MY") I only see some default builtin authorities (digicert, microsoft, comodo, verisign, etc).

This might be related to https://bugs.python.org/issue36011 . The related PR https://github.com/python/cpython/pull/11923 is now closed but I do not see the commit in master/3.7/feature-version branch. Was it dismissed?

I am aware there are options to add certificate files to SSL_CERT_DIR, but it is my understanding that python now uses the windows certificate store and that is where in my case the certificate should go.
msg338200 - (view) Author: Christian Herdtweck (christian-intra2net) Date: 2019-03-18 11:42
I should have added the behavioral result:

(1) opening my server's web (https, port 443) page using IE works fine without certificate questions/errors
(2) creating a ssl-wrapped socket to the server on the same port (443) fails with a Certificat error
msg338330 - (view) Author: Christian Herdtweck (christian-intra2net) Date: 2019-03-19 08:53
A colleage motivated me to add some example data. Attached you will find a small sample program listing the certificates and trying to connect to my machine.

Output of the program:
Text "fake" nowhere to be found :-(

Traceback (most recent call last):
  File "list_cas.py", line 88, in <module>
    sys.exit(main())
  File "list_cas.py", line 83, in main
    ssl_sock.connect((MY_SERVER, 443))
  File "C:\Program Files (x86)\Python37-32\lib\ssl.py", line 1150, in connect
    self._real_connect(addr, False)
  File "C:\Program Files (x86)\Python37-32\lib\ssl.py", line 1141, in _real_connect
    self.do_handshake()
  File "C:\Program Files (x86)\Python37-32\lib\ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)
msg338332 - (view) Author: Christian Herdtweck (christian-intra2net) Date: 2019-03-19 08:58
Certificates (fake CA and the signed certificate) as well as 2 screenshots from the import process
msg338551 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2019-03-21 15:58
Yeah, this is a dup of issue35941. I'm not sure why the contributor withdrew their PR, but it seems that is what happened.
msg338556 - (view) Author: Christian Herdtweck (christian-intra2net) Date: 2019-03-21 16:27
Sorry, right, that is the issue I meant. Continuing there.
History
Date User Action Args
2019-03-21 16:27:48christian-intra2netsetmessages: + msg338556
2019-03-21 15:58:02steve.dowersetstatus: open -> closed

superseder: ssl.enum_certificates() regression
components: + Windows

nosy: + paul.moore, tim.golden, zach.ware
messages: + msg338551
resolution: duplicate
stage: resolved
2019-03-19 18:55:57brett.cannonsetnosy: + steve.dower
2019-03-19 08:58:44christian-intra2netsetfiles: + python-cert-problem.zip

messages: + msg338332
2019-03-19 08:53:13christian-intra2netsetfiles: + list_cas.py

messages: + msg338330
2019-03-18 11:42:24christian-intra2netsetmessages: + msg338200
2019-03-18 11:40:20christian-intra2netcreate