Skip to content

ssl.create_default_context() throws: "ssl.SSLError: [X509] unknown error (_ssl.c:4035)" #108721

New issue
New issue
Closed as not planned
Closed as not planned
ssl.create_default_context() throws: "ssl.SSLError: [X509] unknown error (_ssl.c:4035)"#108721
Labels
3.11only security fixestopic-SSLtype-bugAn unexpected behavior, bug, or error
@bh1428

Description

@bh1428
bh1428
opened on Aug 31, 2023

Bug report

Checklist

  • I am confident this is a bug in CPython, not a bug in a third-party project
  • I have searched the CPython issue tracker,
    and am confident this bug has not been reported before

CPython versions tested on:

3.11

Operating systems tested on:

Windows

Output from running 'python -VV' on the command line:

Python 3.11.5 (tags/v3.11.5:cce6ba9, Aug 24 2023, 14:38:34) [MSC v.1936 64 bit (AMD64)]

A clear and concise description of the bug:

In one of my systems, this triggers an exception in Python 3.11.5 and works fine in Python 3.11.4:

import ssl
ssl.create_default_context()

The exception is:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "C:\Program Files\Python311\Lib\ssl.py", line 775, in create_default_context
    context.load_default_certs(purpose)
  File "C:\Program Files\Python311\Lib\ssl.py", line 596, in load_default_certs
    self._load_windows_store_certs(storename, purpose)
  File "C:\Program Files\Python311\Lib\ssl.py", line 588, in _load_windows_store_certs
    self.load_verify_locations(cadata=certs)
ssl.SSLError: [X509] unknown error (_ssl.c:4035)

The cause is a couple of TFS certificates in the Windows "CA" store:
image

If I remove one of these certificates (doesn't matter which one, I have tested both by removing, reimporting, etc.), the issue goes away.

It looks like commit 77e0919 is causing the issue. I have created a custom build of main with lines 670-673 of Modules/_ssl.c commented:

//                if (ERR_GET_LIB(e) == ERR_LIB_SSL &&
//                        ERR_GET_REASON(e) == SSL_R_CERTIFICATE_VERIFY_FAILED) {
//                    type = state->PySSLCertVerificationErrorObject;
//                }

When using this custom build (and the two certificates in the store), the issue does not occur.

Attached you'll find a zip with the two certificates (in case anyone is wondering, they are from a sandbox which is no longer in use) and a more elaborate example which finds out which certificates cause an issue by testing them one at a time (originally I had three certificates).

TFS_certs.zip

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.11only security fixestopic-SSLtype-bugAn unexpected behavior, bug, or error

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions