mirror of
https://github.com/yt-dlp/yt-dlp.git
synced 2025-01-03 06:01:02 +00:00
Workaround for bug in ssl.SSLContext.load_default_certs
(#1118)
* Remove old compat code * Load certificates only when not using nocheckcertificate * Load each certificate individually Closes #1060 Related bugs.python.org/issue35665, bugs.python.org/issue4531
This commit is contained in:
parent
7687c8ac6e
commit
7756277882
1 changed files with 25 additions and 19 deletions
|
@ -2352,27 +2352,33 @@ def formatSeconds(secs, delim=':', msec=False):
|
||||||
return '%s.%03d' % (ret, secs % 1) if msec else ret
|
return '%s.%03d' % (ret, secs % 1) if msec else ret
|
||||||
|
|
||||||
|
|
||||||
def make_HTTPS_handler(params, **kwargs):
|
def _ssl_load_windows_store_certs(ssl_context, storename):
|
||||||
opts_no_check_certificate = params.get('nocheckcertificate', False)
|
# Code adapted from _load_windows_store_certs in https://github.com/python/cpython/blob/main/Lib/ssl.py
|
||||||
if hasattr(ssl, 'create_default_context'): # Python >= 3.4 or 2.7.9
|
|
||||||
context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
|
|
||||||
if opts_no_check_certificate:
|
|
||||||
context.check_hostname = False
|
|
||||||
context.verify_mode = ssl.CERT_NONE
|
|
||||||
try:
|
try:
|
||||||
return YoutubeDLHTTPSHandler(params, context=context, **kwargs)
|
certs = [cert for cert, encoding, trust in ssl.enum_certificates(storename)
|
||||||
except TypeError:
|
if encoding == 'x509_asn' and (
|
||||||
# Python 2.7.8
|
trust is True or ssl.Purpose.SERVER_AUTH.oid in trust)]
|
||||||
# (create_default_context present but HTTPSHandler has no context=)
|
except PermissionError:
|
||||||
|
return
|
||||||
|
for cert in certs:
|
||||||
|
try:
|
||||||
|
ssl_context.load_verify_locations(cadata=cert)
|
||||||
|
except ssl.SSLError:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
if sys.version_info < (3, 2):
|
|
||||||
return YoutubeDLHTTPSHandler(params, **kwargs)
|
def make_HTTPS_handler(params, **kwargs):
|
||||||
else: # Python < 3.4
|
opts_check_certificate = not params.get('nocheckcertificate')
|
||||||
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
|
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
|
||||||
context.verify_mode = (ssl.CERT_NONE
|
context.check_hostname = opts_check_certificate
|
||||||
if opts_no_check_certificate
|
context.verify_mode = ssl.CERT_REQUIRED if opts_check_certificate else ssl.CERT_NONE
|
||||||
else ssl.CERT_REQUIRED)
|
if opts_check_certificate:
|
||||||
|
# Work around the issue in load_default_certs when there are bad certificates. See:
|
||||||
|
# https://github.com/yt-dlp/yt-dlp/issues/1060,
|
||||||
|
# https://bugs.python.org/issue35665, https://bugs.python.org/issue4531
|
||||||
|
if sys.platform == 'win32':
|
||||||
|
for storename in ('CA', 'ROOT'):
|
||||||
|
_ssl_load_windows_store_certs(context, storename)
|
||||||
context.set_default_verify_paths()
|
context.set_default_verify_paths()
|
||||||
return YoutubeDLHTTPSHandler(params, context=context, **kwargs)
|
return YoutubeDLHTTPSHandler(params, context=context, **kwargs)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue