[Python-Dev] https://bugs.python.org/issue33127 breaks pip / easy_install / pipenv etc in corporate networks on MS Windows using self-signed certificates

[Oleg Sivokon]

On 17Apr2018 0246, Oleg Sivokon wrote:
> It is common practice in corporate networks that connect MS Windows ...

> If you are referring to Python on Windows, this was never true. We've
> always relied on OpenSSL and at best will read locally installed
> certificates (and by default, most certificates are not locally
> installed). This should not have changed recently, and certainly not
> with the bug you reference.

I was simply parroting whatever our IT people told me.  I don't use MS Windows, and know very little about administration of this OS.  I'll be happy to tell them what you just wrote.

> I'm asking that this be made configurable / possible to disable using simple means, perhaps an environment variable / registry key or similar.

> I'm not clear on what you're asking for. The only thing we can disable
> is reading OS certificates into OpenSSL, and that would be the opposite
> of what you are having trouble with.

I'm still investigating what the actual problem was, and what exactly changed.  It might have been related to PyPI using new hosts, but, to be absolutely honest, pip and similar tools don't make it easy to debug this problem.  The problem with these tools is that they lose all context information about SSL errors, so it's not possible to know what the exact problem was.  Setting up a development environment on MS Windows to try to debug Python interpreter in order to discover this information so far has been frustratingly painful (it's been about a decade since I used MS Windows for anything related to programming).

> PS. I still cannot register to the bug tracker (never received a confirmation email), this is why you are reading this email.

> I would guess it ended up in a junk mail folder, though that may be
> controlled by your organization rather than anywhere you can get to it.
> Perhaps using an alternate email address will be easiest?

No, it was simply never received (maybe it was somehow filtered out by the MS Exchange filters, I know very little about it, but it never made it to my mailbox).  Whatever the case, I will never know that because, apparently, our IT are either too lazy or don't know what they are doing...
This communication and all information contained in or attached to it is confidential, intended solely for the addressee, may be legally privileged and is the intellectual property of one of the companies of NEX Group plc ("NEX") or third parties. If you are not the intended addressee or receive this message in error, please immediately delete all copies of it and notify the sender. We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachments. We do not accept liability for any loss or damage caused by software viruses. NEX reserves the right to monitor all communications. We do not accept any legal responsibility for the content of communications, and no communication shall be considered legally binding. Furthermore, if the content of this communication is personal or unconnected with our business, we accept no liability or responsibility for it. NEX Group plc is a public limited company registered in England and Wales under number 10013770 and certain of its affiliates are authorised and regulated by regulatory authorities. For further regulatory information please see www.NEX.com.