id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
35653	Support EMAIL_SSL_CERTFILE for private certificate authority	dkaylor	Igor Scheller	"We have an SMTP server that is not signed by a public CA. Sending email with no SSL settings results in an ""SSL: CERTIFICATE_VERIFY_FAILED"" error.

If we set EMAIL_SSL_CERTFILE, we receive the same error. We do not have access to the key file to test with EMAIL_SSL_KEYFILE. Clients often do not have access to keys so this shouldn't be required.

Django is loading the cert files with load_cert_chain, but I believe load_verify_locations would be more appropriate:

https://github.com/django/django/blob/main/django/core/mail/backends/smtp.py#L63

The examples in the Python docs use the former for servers and the latter for clients:

https://docs.python.org/3/library/ssl.html

I wrote a simple test with load_cert_chain and it fails with the same SSL error:
{{{
ssl_context.load_cert_chain(cacert)
}}}

If I change to load_verify_locations it works
{{{
ssl_context.load_verify_locations(cacert)
}}}"	New feature	assigned	Core (Mail)	4.2	Normal			Mike Edmunds Mariusz Felisiak	Accepted	1	0	0	1	0	0