Workaround for bug in ssl.SSLContext.load_default_certs (#1118)

* Remove old compat code
* Load certificates only when not using nocheckcertificate
* Load each certificate individually

Closes #1060
Related bugs.python.org/issue35665, bugs.python.org/issue4531
This commit is contained in:
pukkandan 2021-09-29 03:07:23 +05:30 committed by GitHub
parent 7687c8ac6e
commit 7756277882
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -2352,27 +2352,33 @@ def formatSeconds(secs, delim=':', msec=False):
return '%s.%03d' % (ret, secs % 1) if msec else ret return '%s.%03d' % (ret, secs % 1) if msec else ret
def make_HTTPS_handler(params, **kwargs): def _ssl_load_windows_store_certs(ssl_context, storename):
opts_no_check_certificate = params.get('nocheckcertificate', False) # Code adapted from _load_windows_store_certs in https://github.com/python/cpython/blob/main/Lib/ssl.py
if hasattr(ssl, 'create_default_context'): # Python >= 3.4 or 2.7.9
context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
if opts_no_check_certificate:
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
try: try:
return YoutubeDLHTTPSHandler(params, context=context, **kwargs) certs = [cert for cert, encoding, trust in ssl.enum_certificates(storename)
except TypeError: if encoding == 'x509_asn' and (
# Python 2.7.8 trust is True or ssl.Purpose.SERVER_AUTH.oid in trust)]
# (create_default_context present but HTTPSHandler has no context=) except PermissionError:
return
for cert in certs:
try:
ssl_context.load_verify_locations(cadata=cert)
except ssl.SSLError:
pass pass
if sys.version_info < (3, 2):
return YoutubeDLHTTPSHandler(params, **kwargs) def make_HTTPS_handler(params, **kwargs):
else: # Python < 3.4 opts_check_certificate = not params.get('nocheckcertificate')
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.verify_mode = (ssl.CERT_NONE context.check_hostname = opts_check_certificate
if opts_no_check_certificate context.verify_mode = ssl.CERT_REQUIRED if opts_check_certificate else ssl.CERT_NONE
else ssl.CERT_REQUIRED) if opts_check_certificate:
# Work around the issue in load_default_certs when there are bad certificates. See:
# https://github.com/yt-dlp/yt-dlp/issues/1060,
# https://bugs.python.org/issue35665, https://bugs.python.org/issue4531
if sys.platform == 'win32':
for storename in ('CA', 'ROOT'):
_ssl_load_windows_store_certs(context, storename)
context.set_default_verify_paths() context.set_default_verify_paths()
return YoutubeDLHTTPSHandler(params, context=context, **kwargs) return YoutubeDLHTTPSHandler(params, context=context, **kwargs)