[New-bugs-announce] [issue28547] Python to use Windows Certificate Store

[Jean-Philippe Landry]

New submission from Jean-Philippe Landry:

Hello,

Would it be possible for Python to use the Certificate Store in windows instead of a predetermined list of certificates. The use case is as follows:

Multiple machines being on a corporate network where there is a man in the middle packet inspection (IT security stuff...) that will resign most of the SSL connections with its own certificate that is unfortunately not part of the python default store. There are also multiple behind the firewall servers using self signed certificates. That means that almost all SSL requests, including pip install will throw the famous [SSL: CERTIFICATE_VERIFY_FAILED] error.

This is transparent in Chrome because Chrome is using the Windows store to determine if a certificate is trusted or not and all those custom certificates are in the windows store.

However, Python uses its own file (list of approved certificates). I understand that this can be overridden using a custom, manually managed, crt file and set it into the environment variables (REQUESTS_CA_BUNDLE) and it works. However, this involves manual operation and undesired maintenance when a new certificate will be added to the store. The windows store itself gets updated periodically by IT so it is a not an issue.

Is there a rationale behind using a specific file instead of the windows store which will work for Chrome, IE, etc...

Best regards,

Jean-Philippe

----------
assignee: christian.heimes
components: SSL
messages: 279602
nosy: Jean-Philippe Landry, christian.heimes
priority: normal
severity: normal
status: open
title: Python to use Windows Certificate Store
type: behavior
versions: Python 3.5

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue28547>
_______________________________________