-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
certifi runtime hook interferes with ssl.load_default_certs() #332
Comments
I don't know anything about certifi so I can't say much other than that I would also expect PyInstaller's behaviour to mirror the unfrozen behaviour. I'd really like to know what the rational behind pyinstaller/pyinstaller#3952 was though before I start deleting hooks. @ktong Are you still on Github? Can you comment? |
certifi provides root certificates in the form of the
The key word there is provides. It is up to the rest of you application to choose to use certifi's certificates or not. For example, the Running my script from source shows the correct behavior, which is that even though certifi is installed, Running from bundled shows different/incorrect behavior - the htgoebel's first comment on the original PR pyinstaller/pyinstaller#3952 (comment) was correct. |
https://github.com/pyinstaller/pyinstaller/wiki/Recipe-OpenSSL-Certificate also has a mention of the behavior change that pyinstaller/pyinstaller#3952 introduced. But I agree that this should be opt-in, not opt-out, to keep behavior consistent with unfrozen version. |
Ok, looks like we're not going to get an answer from pyinstaller/pyinstaller#3952's author. @LincolnPuzey Go ahead and delete that runtime hook then. |
I think the hook should be removed mainly because it gives inconsistent behavior between frozen/unfrozen. However removing the hook will cause frozen applications to behave inconsistently across different computers when the computers have different certificates available from the Operating System. Personally, my frozen application is distributed across Windows machines I have no control of and no knowledge of what certificates are available from Windows, so I will be adding code to my application to add back this behavior since it is essential for reliably verifying the domain my application connects to. So to be clear, removing this hook is a breaking change, if your application relies on the certificates in
Unfortunately, it is likely that there are developers that don't know their application is currently relying on this behavior. A trap developers might fall into is if they do the following
|
This hook is being deleted because it is not required for certifi to function and it introduces inconsistent behavior between frozen/unfrozen code.
Surely though, the correct way to give ssl the certificates from certifi (without PyInstaller) is to give it the certificates file directly? context = ssl.create_default_context(cafile=certifi.where()) In which case, relying on our runtime hook's meddling is really broken code so removing this hook is only breaking in the sense that its not bug for bug backwards compatible. |
Yes, I meant I'll be doing something like what you suggested (I won't be setting |
For reference here are the OpenSSL docs describing the |
This hook is being deleted because it is not required for certifi to function and it introduces inconsistent behavior between frozen/unfrozen code.
This hook is being deleted because it is not required for certifi to function and it introduces inconsistent behavior between frozen/unfrozen code.
Describe the bug
The certifi runtime hook which was added in pyinstaller/pyinstaller#3952 sets the
SSL_CERT_FILE
environment variable to the path to certifi'scacert.pem
.This causes all the certificates in
cacert.pem
to be loaded byssl.load_default_certs()
and therefore to be included in the SSLContext created byssl.create_default_context()
To Reproduce
My script
print_certs.py
output when running from source in venv with requests/certifi installed
Output when bundled with pyinstaller (all default options)
Expected behavior
I would expect the output of
cert_store_stats()
for bundled to be the same as non-bundledDesktop:
pyinstaller-hooks-contrib
: 2021.3Proposed Solution
I think the certifi runtime hook should be removed.
SSL_CERT_FILE
env variable is not required for certifi to functionThe text was updated successfully, but these errors were encountered: