Ensure load_verify_locations raises SSLError for all backends (#1812)

* Ensure load_verify_locations raises SSLError for all backends

This also adds TestSSL to the classes tested in SecureTransport and
PyOpenSSL, since:

1. TestSSL was the most natural place for this test.
2. The test only makes sense when run against all SSL backends.

Co-authored-by: Pierre-Louis Bonicoli <pierre-louis.bonicoli@libregerbil.fr>

* Remove redundant check in test

pytest.raises() already checks this.

* Update test_socketlevel.py

Co-authored-by: Pierre-Louis Bonicoli <pierre-louis.bonicoli@libregerbil.fr>
Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>

1 files changed, 6 insertions, 3 deletions

diff --git a/src/urllib3/contrib/pyopenssl.py b/src/urllib3/contrib/pyopenssl.py
index 3051ef3a..81a80651 100644
--- a/src/urllib3/contrib/pyopenssl.py
+++ b/src/urllib3/contrib/pyopenssl.py
@@ -450,9 +450,12 @@ class PyOpenSSLContext(object):
             cafile = cafile.encode("utf-8")
         if capath is not None:
             capath = capath.encode("utf-8")
-        self._ctx.load_verify_locations(cafile, capath)
-        if cadata is not None:
-            self._ctx.load_verify_locations(BytesIO(cadata))
+        try:
+            self._ctx.load_verify_locations(cafile, capath)
+            if cadata is not None:
+                self._ctx.load_verify_locations(BytesIO(cadata))
+        except OpenSSL.SSL.Error as e:
+            raise ssl.SSLError("unable to load trusted certificates: %r" % e)
 
     def load_cert_chain(self, certfile, keyfile=None, password=None):
         self._ctx.use_certificate_chain_file(certfile)