gh-79846: Make ssl.create_default_context() ignore invalid certificates

[pukkandan]

Fixes #79846, fixes #89475

Currently, when loading certificates from the Windows certificate store, error in any one certificate causes ssl.create_default_context() to crash. This causes issues in systems that have certificates that are not quite to-spec. A primary culprit for this is "MUPCA Root", which (despite being is technically invalid) is essential for citizens of Serbia

See the conversations under the linked issues for more details

I believe it makes sense for create_default_context to ignore any invalid certificates in the system store. An existing comment in the related code seems to agree with me on this:

cpython/Lib/ssl.py

Lines 772 to 774 in 8497514

	# no explicit cafile, capath or cadata but the verify mode is
	# CERT_OPTIONAL or CERT_REQUIRED. Let's try to load default system
	# root CA certificates for the given purpose. This may fail silently.

This issue can be solved by loading each certificate one by one and ignoring any SSLErrors. I had outlined the idea for this patch in the above-mentioned issue, but never recieved any reply on whether this is acceptable. Hopefully, this PR receives better attention

• Issue: Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute #79846

[cpython-cla-bot]

All commit authors signed the Contributor License Agreement.

[bedevere-bot]

Every change to Python requires a NEWS entry.

Please, add it using the blurb_it Web app or the blurb command-line tool.

[serhiy-storchaka]

The issues was closed and I cannot reproduce the original problem.