[Python-Dev] https://bugs.python.org/issue33127 breaks pip / easy_install / pipenv etc in corporate networks on MS Windows using self-signed certificates

Steve Dower steve.dower at python.org
Tue Apr 17 16:58:54 EDT 2018

On 17Apr2018 0246, Oleg Sivokon wrote:
> It is common practice in corporate networks that connect MS Windows machines to redirect all (encrypted included) traffic through company's router.  For this purpose routers are usually configured to act as a CA.  However, the certificate issued by such "CA" will of course not be found in the certificates distributed with LibreSSL (how would they even know?).  MS Windows networking, however, has a way to configure these policies.
> Prior to this issue, Python relied on the OS libraries to implement TLS protocol, so the overall setup worked transparently for users.  Since 3.6.5, however, this is no longer possible (requires alteration of certificates distributed with Python).

If you are referring to Python on Windows, this was never true. We've 
always relied on OpenSSL and at best will read locally installed 
certificates (and by default, most certificates are not locally 
installed). This should not have changed recently, and certainly not 
with the bug you reference.

> I'm asking that this be made configurable / possible to disable using simple means, perhaps an environment variable / registry key or similar.

I'm not clear on what you're asking for. The only thing we can disable 
is reading OS certificates into OpenSSL, and that would be the opposite 
of what you are having trouble with.

Perhaps this is an issue with pip more specifically than Python?

> PS. I still cannot register to the bug tracker (never received a confirmation email), this is why you are reading this email.

I would guess it ended up in a junk mail folder, though that may be 
controlled by your organization rather than anywhere you can get to it. 
Perhaps using an alternate email address will be easiest?


More information about the Python-Dev mailing list