[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

Change by Dimitrije Milović : Added file: https://bugs.python.org/file50310/Untitled.png ___ Python tracker ___ ___ Python-bugs-list mailing

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

Dimitrije Milović added the comment: Just to ad to the issue, and to further update the importance of those certificates... I came to this issue (still persistent with all python versions since 3.6) while using yt-dlp: https://github.com/yt-dlp/yt-dlp/issues/1060 I obviously have the SAME pr

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

Change by Dimitrije Milović : Added file: https://bugs.python.org/file50311/Untitled.png ___ Python tracker ___ ___ Python-bugs-list mailing

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

Change by Dimitrije Milović : Removed file: https://bugs.python.org/file50310/Untitled.png ___ Python tracker ___ ___ Python-bugs-list mailin

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

Christian Heimes added the comment: We cannot fix the issue in Python. Please report the problem to OpenSSL and to your government. Either OpenSSL needs to relax its cert parser again or your government has to replace the broken certificates with correct certificates. -- assignee: ch

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

Dimitrije Milović added the comment: Maybe better to continue in my newly opened tread https://bugs.python.org/issue45312 since I suppose I wasn't correctly specific (read I am a noob!), and pukkandan was more so. And my government fixing their certificates?! No chance i hell, they are like

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

Christian Heimes added the comment: Could you please open an OpenSSL bug on the projects bug tracker https://github.com/openssl/openssl/ and explain the issue there? They might be able to implement a workaround for the broken certificates or advise you how to handle the invalid certificates.

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

pukkandan added the comment: > A workaround for Python would require a major rewrite of the Windows CA store > integration. We don't have any capacity to work on that area In theory, the issue can be worked around by simply loading each certificate separately. See https://github.com/yt-dlp/

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

New submission from Vladimir Perić : In Python 3.7.1 on Windows 10 ssl library function call ssl.create_default_context(ssl.Purpose.SERVER_AUTH) raises an ssl error: File "C:\Python37\lib\ssl.py", line 471, in _load_windows_store_certs self.load_verify_locations(cadata=certs) ssl.SSLError:

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

Vladimir Perić added the comment: Same outcome in Python 3.7.2. See first comment for detailed explanation of issue. -- ___ Python tracker ___ _

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

STINNER Victor added the comment: > self.load_verify_locations(cadata=certs) > ... > ssl.SSLError: nested asn1 error (_ssl.c:3926) It seems like one of your certificate is invalid. > In Python 3.6.4 same function call raises no error. We frequently update OpenSSL in Python. You can get OpenS

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

STINNER Victor added the comment: Would it be possible to attach the certification to the issue so someone can try to reproduce the issue? (but don't attach any private key ;-)) -- ___ Python tracker __

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

Christian Heimes added the comment: The certs are coming from Windows' trust store. Could you please dump the trust store for me and attach the result to the bug tracker. The following script is untested but should work. I don't have access to a Windows machine at the moment. ctx = ssl.SSLC

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

Vladimir Perić added the comment: Public Certificate file cert.pem is attached. Version of ssl lib in pythons on my machine: Python 3.7.2 (tags/v3.7.2:9a3ffc0492, Dec 23 2018, 23:09:28) [MSC v.1916 64 bit (AMD64)] on win32 Type "help", "copyright", "credits" or "license" for more information.

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

Christian Heimes added the comment: Your Windows cert store contains multiple invalid certificates. The first failing certificate is the custom "MUPCA Root", which looks like a certificate from http://ca.mup.gov.rs/sertifikati.html. The serial number seems to be badly formated or padded. The

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

Christian Heimes added the comment: OpenSSL 1.1.0 is more strict than OpenSSL 1.0.2. That's why you don't see the issue with Python 3.6 but with 3.7. The problem is explained in https://mta.openssl.org/pipermail/openssl-dev/2016-February/005100.html The CA has encoded the integer 102 (0x66)

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

Vladimir Perić added the comment: Thank you all for this expeditive help. Sorry for taking your time. I will remove bad certificates from my machine. Thanks again. I will try to close this one. -- stage: -> resolved status: open -> closed ___ Pytho

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

Christian Heimes added the comment: I also checked how other implementations deal with invalid DER encoding. NSS 3.41, Firefox, and Chromium accept the certifiate. NSS shows the serial number as "102 (0x66)" Firefox and Chromium display the serial number as "00:00:00:66". $ echo "password" >

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

Pedja added the comment: This is still an issue. Serious one. People are unable to just remove this certificate as it is needed for everyday use. It is reasonable that application does not deal with invalid certificates. I can understand application to breaks if one tries to use invalid cert

[issue35665] Function ssl.create_default_context raises exception on Windows 10 when called with ssl.Purpose.SERVER_AUTH) attribute

Change by STINNER Victor : -- nosy: -vstinner ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.p