|
|
|
@ -2373,10 +2373,17 @@ def make_HTTPS_handler(params, **kwargs):
|
|
|
|
|
context.check_hostname = opts_check_certificate
|
|
|
|
|
context.verify_mode = ssl.CERT_REQUIRED if opts_check_certificate else ssl.CERT_NONE
|
|
|
|
|
if opts_check_certificate:
|
|
|
|
|
try:
|
|
|
|
|
context.load_default_certs()
|
|
|
|
|
# Work around the issue in load_default_certs when there are bad certificates. See:
|
|
|
|
|
# https://github.com/yt-dlp/yt-dlp/issues/1060,
|
|
|
|
|
# https://bugs.python.org/issue35665, https://bugs.python.org/issue4531
|
|
|
|
|
if sys.platform == 'win32':
|
|
|
|
|
# https://bugs.python.org/issue35665, https://bugs.python.org/issue45312
|
|
|
|
|
except ssl.SSLError:
|
|
|
|
|
# enum_certificates is not present in mingw python. See https://github.com/yt-dlp/yt-dlp/issues/1151
|
|
|
|
|
if sys.platform == 'win32' and hasattr(ssl, 'enum_certificates'):
|
|
|
|
|
# Create a new context to discard any certificates that were already loaded
|
|
|
|
|
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
|
|
|
|
|
context.check_hostname, context.verify_mode = True, ssl.CERT_REQUIRED
|
|
|
|
|
for storename in ('CA', 'ROOT'):
|
|
|
|
|
_ssl_load_windows_store_certs(context, storename)
|
|
|
|
|
context.set_default_verify_paths()
|
|
|
|
|