This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Adam.Goodman
Recipients Adam.Goodman, christian.heimes
Date 2014-03-13.19:48:20
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1394740101.16.0.76901026465.issue20916@psf.upfronthosting.co.za>
In-reply-to
Content
Starting with Vista, Microsoft began shipping only a very minimal set of root CA certificates with Windows. Microsoft does trust many other authorities, but for these, Windows relies on the "Update Root Certificates" feature: http://technet.microsoft.com/en-us/library/cc749331(WS.10).aspx

"... if the application is presented with a certificate issued by a certification authority in a PKI that is not directly trusted, the Update Root Certificates feature (if it is not turned off) will contact the Windows Update Web site to see if Microsoft has added the certificate of the root CA to its list of trusted root certificates. If the CA has been added to the Microsoft list of trusted authorities, its certificate will automatically be added to the set of trusted root certificates on the user's computer."

Critically, this update mechanism is only invoked if you're using CryptoAPI functions to validate a specific chain; if you just ask Windows to enumerate the certificates it knows about, it won't pull anything down from Windows Update.

(Some concrete numbers: on a clean installation of Windows 8.1, running certmgr.msc shows 18 certificates listed in the "Trusted Root Certification Authorities"; by contrast, OS X comes with over 200 trusted roots).

To confirm this is an issue, I did the following:

1. Start with a clean Windows 8.1 VM image (I used the one from from http://www.modern.ie/en-us/virtualization-tools#downloads). It is critical that the image be completely clean - i.e. you have never visited https://python.org in any web browser, etc.

2. Install Python 3.4.0 RC 3 (32-bit)

3. Run the attached script (which just does a request to https://python.org/ with cert validation enabled). It prints out 14 CA certificate subjects, then fails with "ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)". At the time I'm reporting this issue, python.org uses a certificate that chains back to the "DigiCert High Assurance EV Root CA", which is not included in clean installations of Windows.

4. Browse to https://python.org in Internet Explorer

5. Run the attached script again. Now it prints out 17 CA certificate subjects, and the HTTPS request completes successfully.

Right now, the only idea I have for resolving this would require significant architectural changes - instead of pulling the certificates from Windows into an OpenSSL context, hook the OpenSSL verify callbacks to retrieve the leaf and intermediate certificates provided by the server, then use CryptoAPI functions (probably CertGetCertificateChain?) to have Windows perform the actual chain validation.
History
Date User Action Args
2014-03-13 19:48:21Adam.Goodmansetrecipients: + Adam.Goodman, christian.heimes
2014-03-13 19:48:21Adam.Goodmansetmessageid: <1394740101.16.0.76901026465.issue20916@psf.upfronthosting.co.za>
2014-03-13 19:48:21Adam.Goodmanlinkissue20916 messages
2014-03-13 19:48:20Adam.Goodmancreate