Python programs not functioning because of SSL/TSL protocol filtering (SSL: CERTIFICATE_VERIFY_FAILED)

[Jahus 1]

A SSL: CERTIFICATE_VERIFY_FAILED error is thrown to Python programs (like pip) when trying to access Internet.

The python -m pip install --upgrade pip, that allows to update pip, or any pip install <package> command throws the same error.

Python-dependent programs like streamlink have the same behaviour and need --http-no-ssl-verify or similar flag to function properly.

Adding pypi.org and files.pythonhosted.org to trusted hosts as a workaround doesn't work. What's needed is to either disable SSL/TSL protocol filtering or add python.exe and pip.exe to the List of SSL/TLS filtered application with "Ignore" as Scan action.

The reason I open this topic is that maybe, there will be a way to conciliate both and make these programs work without an input from the user. But I don't know if the change needs to be done from ESET's side or Python's side. In any situation, I hope this topic will be at least informative and helpful for users who face the same issue.

----------------

Full error from pip.exe

WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)'))': /packages/1a/70/1935c770cb3be6e3a8b78ced23d7e0f3b187f5cbfab4749523ed65d7c9b1/requests-2.23.0-py2.py3-none-any.whl

 

[itman 1,659]

Most likely related to this. Outside of the browser, Eset uses the Win root CA store for certificate validation. If whatever you are doing Python-wise uses a custom root CA store, something similar to the following needs to be implemented:

Quote

Additional to this issue:

Python requests library on windows use CA bundle instead of Windows Cert Store

Since UST package everything in PEX file. CA Bundle located here

[User Sync Tool Path]\.pex\install\requests-2.13.0-py2.py3-none-any.whl.59dc5c6338fb72ca09dcf97dda36a7aaa5d6bd0e\requests-2.13.0-py2.py3-none-any.whl\requests\cacert.pem

If you have SSL inbound inspection or forward proxy enabled on the firewall. I think you would need to point Python requests CABundle to Firewall CA cert

if your firewall CA cert is in DER format. you will need to use this command to convert to pem.

openssl x509 -inform DER -in firewallcert.crt -out firewallcert.pem -outform PEM

Create environment variable name: REQUESTS_CA_BUNDLE
with the path to firewallcert PEM file.

https://github.com/adobe-apiplatform/user-sync.py/issues/204

Edited March 21, 2020 by itman