➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2016-05-24 22:24 bysteve.dower, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| 27114_1.patch | steve.dower,2016-05-24 22:30 | |||
| Messages (5) | |||
|---|---|---|---|
| msg266285 -(view) | Author: Steve Dower (steve.dower)* | Date: 2016-05-24 22:24 | |
In some restricted server scenarios, it is not possible to enumerate the Windows machine certificate store. A PermissionError is raised and the operation aborted.Instead, we should simply return no certificates from _load_windows_store_certs. This will most likely cause the SSL request to fail (as the certificate cannot be verified), but it allows the use of SSL_CERT_FILE to use certificates from a local file. Without handling the PermissionError, it doesn't matter whether the environment variable is set or not - we simply fail every time. | |||
| msg266286 -(view) | Author: Steve Dower (steve.dower)* | Date: 2016-05-24 22:30 | |
Added a patch against 3.5 that handles PermissionError and warns about the failure.I think this should be applied against 2.7, 3.5 and 3.6, and that it's unfortunately untestable (without adding extra API to force it to fail). Any concerns? | |||
| msg266448 -(view) | Author: Roundup Robot (python-dev) | Date: 2016-05-26 19:18 | |
New changeset40f3f2b27112 by Steve Dower in branch '2.7':Issue#27114: Fix SSLContext._load_windows_store_certs fails with PermissionErrorhttps://hg.python.org/cpython/rev/40f3f2b27112 | |||
| msg266449 -(view) | Author: Roundup Robot (python-dev) | Date: 2016-05-26 19:20 | |
New changeset29f163db229e by Steve Dower in branch '3.5':Issue#27114: Fix SSLContext._load_windows_store_certs fails with PermissionErrorhttps://hg.python.org/cpython/rev/29f163db229eNew changeseteaee5aed6fbc by Steve Dower in branch 'default':Issue#27114: Fix SSLContext._load_windows_store_certs fails with PermissionErrorhttps://hg.python.org/cpython/rev/eaee5aed6fbc | |||
| msg266450 -(view) | Author: Steve Dower (steve.dower)* | Date: 2016-05-26 19:26 | |
One slight change to the patch for 2.7 - has to catch OSError.Just realised that I forgot to mention the reason we shouldn't just let the exception propagate out is that we then never load certificates specified by the SSL_CERT_FILE variable. Handling the exception allows a workaround.If the exception occurs and no other certificates have been provided, it seems certain that a later operation is going to fail with a much more useful message (i.e. unverifiable connection, or whatever it says). There are also libraries (I think urllib is the one that was causing me actual trouble) that keep retrying the call when it fails, and all of those would need to be updated to handle this error.The docs don't specify potential exceptions, so I see only good by not raising an exception here. | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:31 | admin | set | github: 71301 |
| 2016-05-26 19:28:09 | steve.dower | set | status: open -> closed resolution: fixed stage: commit review -> resolved |
| 2016-05-26 19:26:06 | steve.dower | set | messages: +msg266450 stage: patch review -> commit review |
| 2016-05-26 19:20:11 | python-dev | set | messages: +msg266449 |
| 2016-05-26 19:18:25 | python-dev | set | nosy: +python-dev messages: +msg266448 |
| 2016-05-24 22:30:39 | steve.dower | set | files: +27114_1.patch keywords: +patch messages: +msg266286 stage: needs patch -> patch review |
| 2016-05-24 22:24:35 | steve.dower | create | |