From 97d476811a0ea316429dfe37cfbdda97313736ee Mon Sep 17 00:00:00 2001 From: Kovid Goyal Date: Tue, 8 Oct 2024 15:06:35 +0530 Subject: [PATCH] Windows: Use calibre's bundled SSL certificates instead of the system store by default I am tired of all the bug reports about SSL cerificate verify failures on windows caused by the windows certificate store not having needed intermediate certificates. So use the bundled certificates instead which are the set of certificates trusted by Firefox and curl. Can be turned off via CALIBRE_USE_SYSTEM_CERTIFICATES=1 env var --- bypy/macos/util.c | 1 + bypy/windows/util.c | 6 ++++++ manual/customize.rst | 1 + src/calibre/gui2/__init__.py | 6 +++++- 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/bypy/macos/util.c b/bypy/macos/util.c index 64928528ff..4a4d0a3442 100644 --- a/bypy/macos/util.c +++ b/bypy/macos/util.c @@ -17,6 +17,7 @@ set_env_vars(const char* contents_path) { for (size_t i = 0; i < arraysz(env_vars); i++) { env_var = env_vars[i]; val = env_var_vals[i]; + if (strcmp(env_var, "SSL_CERT_FILE") == 0 && getenv("CALIBRE_USE_SYSTEM_CERTIFICATES") && strcmp(getenv("CALIBRE_USE_SYSTEM_CERTIFICATES"), "1") == 0) continue; if (strstr(val, EXE) == val && strlen(val) >= sizeof(EXE)) { snprintf(buf, sizeof(buf) - 1, "%s%s", contents_path, val + sizeof(EXE) - 1); setenv(env_var, buf, 1); diff --git a/bypy/windows/util.c b/bypy/windows/util.c index 7c49e68ee4..e070a9389e 100644 --- a/bypy/windows/util.c +++ b/bypy/windows/util.c @@ -49,6 +49,12 @@ get_install_locations(void) { _wputenv_s(L"QTWEBENGINE_DISABLE_SANDBOX", "1"); _snwprintf_s(qt_prefix_dir, MAX_PATH-1, _TRUNCATE, L"%ls\\app", interpreter_data.app_dir); _wputenv_s(L"CALIBRE_QT_PREFIX", qt_prefix_dir); + // Lots of people have trouble with various websites failing to download + // because of missing intermediate certificates in the windows store + // so use the Mozilla certificate bundle + _snwprintf_s(qt_prefix_dir, MAX_PATH-1, _TRUNCATE, L"%ls\\mozilla-ca-certs.pem", interpreter_data.resources_path); + const char *s = getenv("CALIBRE_USE_SYSTEM_CERTIFICATES"); + if (!s || strcmp(s, "1") != 0) _wputenv_s(L"SSL_CERT_FILE", qt_prefix_dir); } static void diff --git a/manual/customize.rst b/manual/customize.rst index 8012294ee0..eb7065c657 100644 --- a/manual/customize.rst +++ b/manual/customize.rst @@ -52,6 +52,7 @@ Environment variables the system theme -- beware of crashes and hangs. * ``CALIBRE_SHOW_DEPRECATION_WARNINGS`` - causes calibre to print deprecation warnings to stdout. Useful for calibre developers. * ``CALIBRE_NO_DEFAULT_PROGRAMS`` - prevent calibre from automatically registering the filetypes it is capable of handling with Windows. + * ``CALIBRE_USE_SYSTEM_CERTIFICATES`` - make calibre use the system certificate store for SSL certificate verification instead of its own certificate store on Windows and macOS. * ``QT_QPA_PLATFORM`` - On Linux set this to ``wayland`` to force calibre to use Wayland and ``xcb`` to force use of X11. * ``SYSFS_PATH`` - Use if sysfs is mounted somewhere other than /sys * ``http_proxy``, ``https_proxy`` - used on Linux to specify an HTTP(S) proxy diff --git a/src/calibre/gui2/__init__.py b/src/calibre/gui2/__init__.py index 83cbbf0ff4..3e32c6b58f 100644 --- a/src/calibre/gui2/__init__.py +++ b/src/calibre/gui2/__init__.py @@ -1479,9 +1479,13 @@ def sanitize_env_vars(): } elif iswindows: env_vars = {'OPENSSL_MODULES': None, 'QTWEBENGINE_DISABLE_SANDBOX': None} + if os.environ.get('CALIBRE_USE_SYSTEM_CERTIFICATES', '') != '1': + env_vars['SSL_CERT_FILE'] = None elif ismacos: env_vars = {k:None for k in ( - 'FONTCONFIG_FILE FONTCONFIG_PATH SSL_CERT_FILE OPENSSL_ENGINES OPENSSL_MODULES').split()} + 'FONTCONFIG_FILE FONTCONFIG_PATH OPENSSL_ENGINES OPENSSL_MODULES').split()} + if os.environ.get('CALIBRE_USE_SYSTEM_CERTIFICATES', '') != '1': + env_vars['SSL_CERT_FILE'] = None else: env_vars = {}