You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
assignee='https://github.com/tiran'closed_at=<Date2018-05-24.14:03:30.108>created_at=<Date2016-10-28.12:57:15.832>labels= ['expert-SSL', 'type-bug']
title='Python to use Windows Certificate Store'updated_at=<Date2018-05-24.14:03:30.107>user='https://bugs.python.org/Jean-PhilippeLandry'
Would it be possible for Python to use the Certificate Store in windows instead of a predetermined list of certificates. The use case is as follows:
Multiple machines being on a corporate network where there is a man in the middle packet inspection (IT security stuff...) that will resign most of the SSL connections with its own certificate that is unfortunately not part of the python default store. There are also multiple behind the firewall servers using self signed certificates. That means that almost all SSL requests, including pip install will throw the famous [SSL: CERTIFICATE_VERIFY_FAILED] error.
This is transparent in Chrome because Chrome is using the Windows store to determine if a certificate is trusted or not and all those custom certificates are in the windows store.
However, Python uses its own file (list of approved certificates). I understand that this can be overridden using a custom, manually managed, crt file and set it into the environment variables (REQUESTS_CA_BUNDLE) and it works. However, this involves manual operation and undesired maintenance when a new certificate will be added to the store. The windows store itself gets updated periodically by IT so it is a not an issue.
Is there a rationale behind using a specific file instead of the windows store which will work for Chrome, IE, etc...
Python's ssl library has used Windows' cert store since 3.4 / 2.7.9. Some third party applications like requests or pip rather use their own cert store instead. This decision is beyond control of Python.
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: