We are using Strimzi Kafka with authentication.type: tls and self-signed certificates.

Clients running on Python versions ≤3.12 have been able to connect without issues. However, after upgrading to Python >=3.13, connection attempts fail with the following error:

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1020)

This appears to be caused by a change introduced in Python 3.13, where ssl.create_default_context() now includes the VERIFY_X509_STRICT flag by default:
https://docs.python.org/3/whatsnew/3.13.html#ssl

Note: VERIFY_X509_STRICT may reject pre-RFC 5280 or malformed certificates that the underlying OpenSSL implementation might otherwise accept.

A workaround is to disable the flag manually:

import ssl

ctx = ssl.create_default_context()
ctx.verify_flags &= ~ssl.VERIFY_X509_STRICT

However, this is not ideal as it reduces the level of certificate validation. The issue is not related to encryption but rather strict RFC-5280 compliance — in particular, the absence of an Authority Key Identifier in the CA certificate.

As more teams begin migrating to Python ≥3.13, this is becoming a more pressing and widespread issue.

Please consider updating the certificate generation process in Strimzi to produce RFC 5280-compliant certificates, or at least provide an option (e.g., via feature gate) to enable such compliance when needed.

Thanks in advance!