diff options
| author | coletdev <coletdjnz@protonmail.com> | 2022-03-23 12:26:55 +1300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-03-22 16:26:55 -0700 |
| commit | d5820461e85a9d3d0b2a019f988d4469bfbcc3ee (patch) | |
| tree | ac01dbd3fa5a9d577450bfc48b99e623fa7058f4 /yt_dlp/utils.py | |
| parent | 8a23db95197282159efe970ca0ac69c97def60d3 (diff) | |
| download | hypervideo-pre-d5820461e85a9d3d0b2a019f988d4469bfbcc3ee.tar.lz hypervideo-pre-d5820461e85a9d3d0b2a019f988d4469bfbcc3ee.tar.xz hypervideo-pre-d5820461e85a9d3d0b2a019f988d4469bfbcc3ee.zip | |
Use certificates from `certifi` if installed (#3115)
Fixes #3102 and most `CERTIFICATE_VERIFY_FAILED` issues
Authored by: coletdjnz
Diffstat (limited to 'yt_dlp/utils.py')
| -rw-r--r-- | yt_dlp/utils.py | 37 |
1 files changed, 23 insertions, 14 deletions
diff --git a/yt_dlp/utils.py b/yt_dlp/utils.py index da6f27801..a08dc3c11 100644 --- a/yt_dlp/utils.py +++ b/yt_dlp/utils.py @@ -85,6 +85,12 @@ from .socks import ( sockssocket, ) +try: + import certifi + has_certifi = True +except ImportError: + has_certifi = False + def register_socks_protocols(): # "Register" SOCKS protocols @@ -1010,20 +1016,23 @@ def make_HTTPS_handler(params, **kwargs): context.options |= 4 # SSL_OP_LEGACY_SERVER_CONNECT context.verify_mode = ssl.CERT_REQUIRED if opts_check_certificate else ssl.CERT_NONE if opts_check_certificate: - try: - context.load_default_certs() - # Work around the issue in load_default_certs when there are bad certificates. See: - # https://github.com/yt-dlp/yt-dlp/issues/1060, - # https://bugs.python.org/issue35665, https://bugs.python.org/issue45312 - except ssl.SSLError: - # enum_certificates is not present in mingw python. See https://github.com/yt-dlp/yt-dlp/issues/1151 - if sys.platform == 'win32' and hasattr(ssl, 'enum_certificates'): - # Create a new context to discard any certificates that were already loaded - context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) - context.check_hostname, context.verify_mode = True, ssl.CERT_REQUIRED - for storename in ('CA', 'ROOT'): - _ssl_load_windows_store_certs(context, storename) - context.set_default_verify_paths() + if has_certifi and 'no-certifi' not in params.get('compat_opts', []): + context.load_verify_locations(cafile=certifi.where()) + else: + try: + context.load_default_certs() + # Work around the issue in load_default_certs when there are bad certificates. See: + # https://github.com/yt-dlp/yt-dlp/issues/1060, + # https://bugs.python.org/issue35665, https://bugs.python.org/issue45312 + except ssl.SSLError: + # enum_certificates is not present in mingw python. See https://github.com/yt-dlp/yt-dlp/issues/1151 + if sys.platform == 'win32' and hasattr(ssl, 'enum_certificates'): + # Create a new context to discard any certificates that were already loaded + context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + context.check_hostname, context.verify_mode = True, ssl.CERT_REQUIRED + for storename in ('CA', 'ROOT'): + _ssl_load_windows_store_certs(context, storename) + context.set_default_verify_paths() return YoutubeDLHTTPSHandler(params, context=context, **kwargs) |