mirror of
https://github.com/yt-dlp/yt-dlp.git
synced 2024-11-30 12:01:28 +00:00
Do not load system certificates when certifi
is used
This causes `CERTIFICATE_VERIFY_FAILED` if there is an
expired/bad certificate in the system store
Partially reverts 8a82af3511
Related: #4145
This commit is contained in:
parent
a3976e0760
commit
168bbc4f38
|
@ -146,8 +146,8 @@ ### Differences in default behavior
|
||||||
* Thumbnail embedding in `mp4` is done with mutagen if possible. Use `--compat-options embed-thumbnail-atomicparsley` to force the use of AtomicParsley instead
|
* Thumbnail embedding in `mp4` is done with mutagen if possible. Use `--compat-options embed-thumbnail-atomicparsley` to force the use of AtomicParsley instead
|
||||||
* Some private fields such as filenames are removed by default from the infojson. Use `--no-clean-infojson` or `--compat-options no-clean-infojson` to revert this
|
* Some private fields such as filenames are removed by default from the infojson. Use `--no-clean-infojson` or `--compat-options no-clean-infojson` to revert this
|
||||||
* When `--embed-subs` and `--write-subs` are used together, the subtitles are written to disk and also embedded in the media file. You can use just `--embed-subs` to embed the subs and automatically delete the separate file. See [#630 (comment)](https://github.com/yt-dlp/yt-dlp/issues/630#issuecomment-893659460) for more info. `--compat-options no-keep-subs` can be used to revert this
|
* When `--embed-subs` and `--write-subs` are used together, the subtitles are written to disk and also embedded in the media file. You can use just `--embed-subs` to embed the subs and automatically delete the separate file. See [#630 (comment)](https://github.com/yt-dlp/yt-dlp/issues/630#issuecomment-893659460) for more info. `--compat-options no-keep-subs` can be used to revert this
|
||||||
* `certifi` will be used for SSL root certificates, if installed. If you want to use only system certificates, use `--compat-options no-certifi`
|
* `certifi` will be used for SSL root certificates, if installed. If you want to use system certificates (e.g. self-signed), use `--compat-options no-certifi`
|
||||||
* youtube-dl tries to remove some superfluous punctuations from filenames. While this can sometimes be helpful, it is often undesirable. So yt-dlp tries to keep the fields in the filenames as close to their original values as possible. You can use `--compat-options filename-sanitization` to revert to youtube-dl's behavior
|
* youtube-dl tries to remove some superfluous punctuations from filenames. While this can sometimes be helpfull, it is often undesirable. So yt-dlp tries to keep the fields in the filenames as close to their original values as possible. You can use `--compat-options filename-sanitization` to revert to youtube-dl's behavior
|
||||||
|
|
||||||
For ease of use, a few more compat options are available:
|
For ease of use, a few more compat options are available:
|
||||||
|
|
||||||
|
|
|
@ -950,17 +950,18 @@ def make_HTTPS_handler(params, **kwargs):
|
||||||
if opts_check_certificate:
|
if opts_check_certificate:
|
||||||
if has_certifi and 'no-certifi' not in params.get('compat_opts', []):
|
if has_certifi and 'no-certifi' not in params.get('compat_opts', []):
|
||||||
context.load_verify_locations(cafile=certifi.where())
|
context.load_verify_locations(cafile=certifi.where())
|
||||||
try:
|
else:
|
||||||
context.load_default_certs()
|
try:
|
||||||
# Work around the issue in load_default_certs when there are bad certificates. See:
|
context.load_default_certs()
|
||||||
# https://github.com/yt-dlp/yt-dlp/issues/1060,
|
# Work around the issue in load_default_certs when there are bad certificates. See:
|
||||||
# https://bugs.python.org/issue35665, https://bugs.python.org/issue45312
|
# https://github.com/yt-dlp/yt-dlp/issues/1060,
|
||||||
except ssl.SSLError:
|
# https://bugs.python.org/issue35665, https://bugs.python.org/issue45312
|
||||||
# enum_certificates is not present in mingw python. See https://github.com/yt-dlp/yt-dlp/issues/1151
|
except ssl.SSLError:
|
||||||
if sys.platform == 'win32' and hasattr(ssl, 'enum_certificates'):
|
# enum_certificates is not present in mingw python. See https://github.com/yt-dlp/yt-dlp/issues/1151
|
||||||
for storename in ('CA', 'ROOT'):
|
if sys.platform == 'win32' and hasattr(ssl, 'enum_certificates'):
|
||||||
_ssl_load_windows_store_certs(context, storename)
|
for storename in ('CA', 'ROOT'):
|
||||||
context.set_default_verify_paths()
|
_ssl_load_windows_store_certs(context, storename)
|
||||||
|
context.set_default_verify_paths()
|
||||||
|
|
||||||
client_certfile = params.get('client_certificate')
|
client_certfile = params.get('client_certificate')
|
||||||
if client_certfile:
|
if client_certfile:
|
||||||
|
|
Loading…
Reference in a new issue