pythongh-144249: Report filename in SSLContext.load_cert_chain errors

romuald · romuald · commit b196c8fb089c · 2026-01-27T10:00:30.000+01:00
When user tries to load a certificate chain, attach the related
filename to the exception being raised. Improving user experience
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
@@ -131,6 +131,7 @@ def data_file(*name):
 EMPTYCERT = data_file("nullcert.pem")
 BADCERT = data_file("badcert.pem")
 NONEXISTINGCERT = data_file("XXXnonexisting.pem")
+NONEXISTINGKEY = data_file("XXXnonexistingkey.pem")
 BADKEY = data_file("badkey.pem")
 NOKIACERT = data_file("nokia.pem")
 NULLBYTECERT = data_file("nullbytecert.pem")
@@ -1229,6 +1230,11 @@ def test_load_cert_chain(self):
         with self.assertRaises(OSError) as cm:
             ctx.load_cert_chain(NONEXISTINGCERT)
         self.assertEqual(cm.exception.errno, errno.ENOENT)
+        self.assertEqual(cm.exception.filename, NONEXISTINGCERT)
+        with self.assertRaises(OSError) as cm:
+            ctx.load_cert_chain(CERTFILE, keyfile=NONEXISTINGKEY)
+        self.assertEqual(cm.exception.errno, errno.ENOENT)
+        self.assertEqual(cm.exception.filename, NONEXISTINGKEY)
         with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"):
             ctx.load_cert_chain(BADCERT)
         with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"):
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
@@ -4517,7 +4517,8 @@ load_cert_chain_lock_held(PySSLContext *self, _PySSLPasswordInfo *pw_info,
             /* the password callback has already set the error information */
         }
         else if (errno != 0) {
-            PyErr_SetFromErrno(PyExc_OSError);
+            PyErr_SetFromErrnoWithFilename(PyExc_OSError,
+                PyBytes_AS_STRING(certfile_bytes));
             ERR_clear_error();
         }
         else {
@@ -4537,7 +4538,8 @@ load_cert_chain_lock_held(PySSLContext *self, _PySSLPasswordInfo *pw_info,
             /* the password callback has already set the error information */
         }
         else if (errno != 0) {
-            PyErr_SetFromErrno(PyExc_OSError);
+            PyErr_SetFromErrnoWithFilename(PyExc_OSError,
+                PyBytes_AS_STRING(keyfile_bytes ? keyfile_bytes : certfile_bytes));
             ERR_clear_error();
         }
         else {

Original file line number	Diff line number	Diff line change
`@@ -4517,7 +4517,8 @@ load_cert_chain_lock_held(PySSLContext self, _PySSLPasswordInfo pw_info,`
`4517`	`4517`	`/* the password callback has already set the error information */`
`4518`	`4518`	`}`
`4519`	`4519`	`else if (errno != 0) {`
`4520`		`- PyErr_SetFromErrno(PyExc_OSError);`
	`4520`	`+ PyErr_SetFromErrnoWithFilename(PyExc_OSError,`
	`4521`	`+ PyBytes_AS_STRING(certfile_bytes));`
`4521`	`4522`	`ERR_clear_error();`
`4522`	`4523`	`}`
`4523`	`4524`	`else {`
`@@ -4537,7 +4538,8 @@ load_cert_chain_lock_held(PySSLContext self, _PySSLPasswordInfo pw_info,`
`4537`	`4538`	`/* the password callback has already set the error information */`
`4538`	`4539`	`}`
`4539`	`4540`	`else if (errno != 0) {`
`4540`		`- PyErr_SetFromErrno(PyExc_OSError);`
	`4541`	`+ PyErr_SetFromErrnoWithFilename(PyExc_OSError,`
	`4542`	`+ PyBytes_AS_STRING(keyfile_bytes ? keyfile_bytes : certfile_bytes));`
`4541`	`4543`	`ERR_clear_error();`
`4542`	`4544`	`}`
`4543`	`4545`	`else {`