From 1a637b29aa1d1e96a5be14f520160caf04e8ee16 Mon Sep 17 00:00:00 2001 From: Romuald Brunet Date: Wed, 28 Jan 2026 11:20:51 +0100 Subject: [PATCH] gh-144249: Report filename in SSLContext.load_cert_chain errors (#144250) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit When user tries to load a certificate chain, attach the related filename to the exception being raised. Improving user experience. Co-authored-by: Victor Stinner Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> --- Lib/test/test_ssl.py | 6 ++++++ .../Library/2026-01-27-09-58-52.gh-issue-144249.mCIy95.rst | 2 ++ Modules/_ssl.c | 6 ++++-- 3 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 Misc/NEWS.d/next/Library/2026-01-27-09-58-52.gh-issue-144249.mCIy95.rst diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 9dc99fbf5cf7..6023c89bca03 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -131,6 +131,7 @@ REMOTE_HOST = "self-signed.pythontest.net" EMPTYCERT = data_file("nullcert.pem") BADCERT = data_file("badcert.pem") NONEXISTINGCERT = data_file("XXXnonexisting.pem") +NONEXISTINGKEY = data_file("XXXnonexistingkey.pem") BADKEY = data_file("badkey.pem") NOKIACERT = data_file("nokia.pem") NULLBYTECERT = data_file("nullbytecert.pem") @@ -1229,6 +1230,11 @@ class ContextTests(unittest.TestCase): with self.assertRaises(OSError) as cm: ctx.load_cert_chain(NONEXISTINGCERT) self.assertEqual(cm.exception.errno, errno.ENOENT) + self.assertEqual(cm.exception.filename, NONEXISTINGCERT) + with self.assertRaises(OSError) as cm: + ctx.load_cert_chain(CERTFILE, keyfile=NONEXISTINGKEY) + self.assertEqual(cm.exception.errno, errno.ENOENT) + self.assertEqual(cm.exception.filename, NONEXISTINGKEY) with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"): ctx.load_cert_chain(BADCERT) with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"): diff --git a/Misc/NEWS.d/next/Library/2026-01-27-09-58-52.gh-issue-144249.mCIy95.rst b/Misc/NEWS.d/next/Library/2026-01-27-09-58-52.gh-issue-144249.mCIy95.rst new file mode 100644 index 000000000000..52f27cec4782 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2026-01-27-09-58-52.gh-issue-144249.mCIy95.rst @@ -0,0 +1,2 @@ +Add filename context to :exc:`OSError` exceptions raised by +:func:`ssl.SSLContext.load_cert_chain`, allowing users to have more context. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 22865bdfc3f7..66d699b4339c 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4517,7 +4517,8 @@ load_cert_chain_lock_held(PySSLContext *self, _PySSLPasswordInfo *pw_info, /* the password callback has already set the error information */ } else if (errno != 0) { - PyErr_SetFromErrno(PyExc_OSError); + PyErr_SetFromErrnoWithFilename(PyExc_OSError, + PyBytes_AS_STRING(certfile_bytes)); ERR_clear_error(); } else { @@ -4537,7 +4538,8 @@ load_cert_chain_lock_held(PySSLContext *self, _PySSLPasswordInfo *pw_info, /* the password callback has already set the error information */ } else if (errno != 0) { - PyErr_SetFromErrno(PyExc_OSError); + PyErr_SetFromErrnoWithFilename(PyExc_OSError, + PyBytes_AS_STRING(keyfile_bytes ? keyfile_bytes : certfile_bytes)); ERR_clear_error(); } else { -- 2.47.3