Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSLContext._load_windows_store_certs fails with PermissionError #71301

Closed
zooba opened this issue May 24, 2016 · 5 comments
Closed

SSLContext._load_windows_store_certs fails with PermissionError #71301

zooba opened this issue May 24, 2016 · 5 comments
Assignees
@zooba
Labels
OS-windows type-bug An unexpected behavior, bug, or error

Comments

@zooba
Copy link
Member

zooba commented May 24, 2016

BPO 27114
Nosy @pfmoore, @tjguk, @zware, @zooba
Files
  • 27114_1.patch
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/zooba'
closed_at = <Date 2016-05-26.19:28:09.035>
created_at = <Date 2016-05-24.22:24:35.621>
labels = ['type-bug', 'OS-windows']
title = 'SSLContext._load_windows_store_certs fails with PermissionError'
updated_at = <Date 2016-05-26.19:28:09.034>
user = 'https://github.com/zooba'

    bugs.python.org fields:

    activity = <Date 2016-05-26.19:28:09.034>
actor = 'steve.dower'
assignee = 'steve.dower'
closed = True
closed_date = <Date 2016-05-26.19:28:09.035>
closer = 'steve.dower'
components = ['Windows']
creation = <Date 2016-05-24.22:24:35.621>
creator = 'steve.dower'
dependencies = []
files = ['42979']
hgrepos = []
issue_num = 27114
keywords = ['patch']
message_count = 5.0
messages = ['266285', '266286', '266448', '266449', '266450']
nosy_count = 5.0
nosy_names = ['paul.moore', 'tim.golden', 'python-dev', 'zach.ware', 'steve.dower']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue27114'
versions = ['Python 2.7', 'Python 3.5', 'Python 3.6']
    @zooba
    Copy link
    Member Author

    zooba commented May 24, 2016

    In some restricted server scenarios, it is not possible to enumerate the Windows machine certificate store. A PermissionError is raised and the operation aborted.

    Instead, we should simply return no certificates from _load_windows_store_certs. This will most likely cause the SSL request to fail (as the certificate cannot be verified), but it allows the use of SSL_CERT_FILE to use certificates from a local file. Without handling the PermissionError, it doesn't matter whether the environment variable is set or not - we simply fail every time.

    @zooba zooba self-assigned this May 24, 2016
    @zooba zooba added OS-windows type-bug An unexpected behavior, bug, or error labels May 24, 2016
    @zooba
    Copy link
    Member Author

    zooba commented May 24, 2016

    Added a patch against 3.5 that handles PermissionError and warns about the failure.

    I think this should be applied against 2.7, 3.5 and 3.6, and that it's unfortunately untestable (without adding extra API to force it to fail). Any concerns?

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented May 26, 2016

    New changeset 40f3f2b27112 by Steve Dower in branch '2.7':
    Issue bpo-27114: Fix SSLContext._load_windows_store_certs fails with PermissionError
    https://hg.python.org/cpython/rev/40f3f2b27112

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented May 26, 2016

    New changeset 29f163db229e by Steve Dower in branch '3.5':
    Issue bpo-27114: Fix SSLContext._load_windows_store_certs fails with PermissionError
    https://hg.python.org/cpython/rev/29f163db229e

    New changeset eaee5aed6fbc by Steve Dower in branch 'default':
    Issue bpo-27114: Fix SSLContext._load_windows_store_certs fails with PermissionError
    https://hg.python.org/cpython/rev/eaee5aed6fbc

    @zooba
    Copy link
    Member Author

    zooba commented May 26, 2016

    One slight change to the patch for 2.7 - has to catch OSError.

    Just realised that I forgot to mention the reason we shouldn't just let the exception propagate out is that we then never load certificates specified by the SSL_CERT_FILE variable. Handling the exception allows a workaround.

    If the exception occurs and no other certificates have been provided, it seems certain that a later operation is going to fail with a much more useful message (i.e. unverifiable connection, or whatever it says). There are also libraries (I think urllib is the one that was causing me actual trouble) that keep retrying the call when it fails, and all of those would need to be updated to handle this error.

    The docs don't specify potential exceptions, so I see only good by not raising an exception here.

    @zooba zooba closed this as completed May 26, 2016
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @zooba zooba

    Labels
    OS-windows type-bug An unexpected behavior, bug, or error
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    1 participant
    @zooba