Python to use Windows Certificate Store

[Jean-PhilippeLandry]

BPO	28547
Nosy	@tiran

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/tiran'
closed_at = <Date 2018-05-24.14:03:30.108>
created_at = <Date 2016-10-28.12:57:15.832>
labels = ['expert-SSL', 'type-bug']
title = 'Python to use Windows Certificate Store'
updated_at = <Date 2018-05-24.14:03:30.107>
user = 'https://bugs.python.org/Jean-PhilippeLandry'

bugs.python.org fields:

activity = <Date 2018-05-24.14:03:30.107>
actor = 'Jean-Philippe Landry'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2018-05-24.14:03:30.108>
closer = 'Jean-Philippe Landry'
components = ['SSL']
creation = <Date 2016-10-28.12:57:15.832>
creator = 'Jean-Philippe Landry'
dependencies = []
files = []
hgrepos = []
issue_num = 28547
keywords = []
message_count = 2.0
messages = ['279602', '279603']
nosy_count = 2.0
nosy_names = ['christian.heimes', 'Jean-Philippe Landry']
pr_nums = []
priority = 'normal'
resolution = 'third party'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue28547'
versions = ['Python 3.5']

[Jean-PhilippeLandry]

Hello,

Would it be possible for Python to use the Certificate Store in windows instead of a predetermined list of certificates. The use case is as follows:

Multiple machines being on a corporate network where there is a man in the middle packet inspection (IT security stuff...) that will resign most of the SSL connections with its own certificate that is unfortunately not part of the python default store. There are also multiple behind the firewall servers using self signed certificates. That means that almost all SSL requests, including pip install will throw the famous [SSL: CERTIFICATE_VERIFY_FAILED] error.

This is transparent in Chrome because Chrome is using the Windows store to determine if a certificate is trusted or not and all those custom certificates are in the windows store.

However, Python uses its own file (list of approved certificates). I understand that this can be overridden using a custom, manually managed, crt file and set it into the environment variables (REQUESTS_CA_BUNDLE) and it works. However, this involves manual operation and undesired maintenance when a new certificate will be added to the store. The windows store itself gets updated periodically by IT so it is a not an issue.

Is there a rationale behind using a specific file instead of the windows store which will work for Chrome, IE, etc...

Best regards,

Jean-Philippe

[tiran]

Python's ssl library has used Windows' cert store since 3.4 / 2.7.9. Some third party applications like requests or pip rather use their own cert store instead. This decision is beyond control of Python.

https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_default_certs
https://docs.python.org/3/library/ssl.html#ssl.enum_certificates