Issue 36866: Certificate verification errors in urllib.request become URLError (original) (raw)
The behavior of how SSL certificate validation is handled was changed in https://bugs.python.org/issue31399
This introduced a new exception, ssl.SSLCertVerificationError, which is raised for any certificate validation error, instead of the previous exception ssl.CertificateError.
The primary difference here comes into play in urllib.request:
Previously ssl.CertificateError was not derived from OSError, it instead was derived from ValueError.
As such, as of Python3.7, ssl.SSLCertVerificationError is caught by the exception handling referenced above, as it is derived from OSError, and raised as a URLError, causing exception handling issues. You must now introspect e.reason to determine if the exception was caused due to certificate verification or any other URLError, instead of simply catching separate exception types.
Starting with 3.7, all OpenSSL and certificate-related exceptions are derived from SSLError. SSLError is a subclass of OSError. For backwards compatibility, SSLCertVerificationError is both a subclass of SSLError and ValueError.
ssl.CertificateError <class 'ssl.SSLCertVerificationError'> ssl.CertificateError.mro (<class 'ssl.SSLCertVerificationError'>, <class 'ssl.SSLError'>, <class 'OSError'>, <class 'ValueError'>, <class 'Exception'>, <class 'BaseException'>, <class 'object'>)
The new behavior is more consistent than the previous. Now all SSL handshake errors are wrapped in URLError. In 3.6 and earlier unsupported TLS version, cipher suite mismatch, and similar were wrapped in URLError. Certificate related issues like untrusted cert, expired cert, hostname verification failure was not wrapped in URLError. You had to check error.reason for SSL-related errors any way.
I like to argue that the ssl module in 3.7 handles exceptions more consistently and is an improvement. The URLError behavior change is an unfortunate but reasonable side effect.
Ned, what do you think?