From d520f46f94d0e637d440c6c0d55aa49240e2d46a Mon Sep 17 00:00:00 2001 From: Nate Prewitt Date: Thu, 18 Jul 2024 09:51:10 -0700 Subject: [PATCH] Revert caching a default SSLContext --- src/requests/adapters.py | 55 ++++++++++++---------------------------- 1 file changed, 16 insertions(+), 39 deletions(-) Index: requests-2.32.4/src/requests/adapters.py =================================================================== --- requests-2.32.4.orig/src/requests/adapters.py +++ requests-2.32.4/src/requests/adapters.py @@ -27,7 +27,6 @@ from urllib3.poolmanager import PoolMana from urllib3.util import Timeout as TimeoutSauce from urllib3.util import parse_url from urllib3.util.retry import Retry -from urllib3.util.ssl_ import create_urllib3_context from .auth import _basic_auth_str from .compat import basestring, urlparse @@ -74,36 +73,6 @@ DEFAULT_RETRIES = 0 DEFAULT_POOL_TIMEOUT = None -try: - import ssl # noqa: F401 - - _preloaded_ssl_context = create_urllib3_context() - _preloaded_ssl_context.load_verify_locations( - extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH) - ) -except ImportError: - # Bypass default SSLContext creation when Python - # interpreter isn't built with the ssl module. - _preloaded_ssl_context = None - - -def _should_use_default_context( - verify: "bool | str | None", - client_cert: "typing.Tuple[str, str] | str | None", - poolmanager_kwargs: typing.Dict[str, typing.Any], -) -> bool: - # Determine if we have and should use our default SSLContext - # to optimize performance on standard requests. - has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context") - should_use_default_ssl_context = ( - verify is True - and _preloaded_ssl_context is not None - and not has_poolmanager_ssl_context - and client_cert is None - ) - return should_use_default_ssl_context - - def _urllib3_request_context( request: "PreparedRequest", verify: "bool | str | None", @@ -121,8 +90,6 @@ def _urllib3_request_context( cert_loc = None if verify is False: cert_reqs = "CERT_NONE" - elif _should_use_default_context(verify, client_cert, poolmanager_kwargs): - pool_kwargs["ssl_context"] = _preloaded_ssl_context elif verify is True: # Set default ca cert location if none provided cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH) @@ -332,24 +299,27 @@ class HTTPAdapter(BaseAdapter): :param cert: The SSL certificate to verify. """ if url.lower().startswith("https") and verify: - conn.cert_reqs = "CERT_REQUIRED" + cert_loc = None - # Only load the CA certificates if `verify` is a - # string indicating the CA bundle to use. + # Allow self-specified cert location. if verify is not True: - # `verify` must be a str with a path then cert_loc = verify - if not os.path.exists(cert_loc): - raise OSError( - f"Could not find a suitable TLS CA certificate bundle, " - f"invalid path: {cert_loc}" - ) - - if not os.path.isdir(cert_loc): - conn.ca_certs = cert_loc - else: - conn.ca_cert_dir = cert_loc + if not cert_loc: + cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH) + + if not cert_loc or not os.path.exists(cert_loc): + raise OSError( + f"Could not find a suitable TLS CA certificate bundle, " + f"invalid path: {cert_loc}" + ) + + conn.cert_reqs = "CERT_REQUIRED" + + if not os.path.isdir(cert_loc): + conn.ca_certs = cert_loc + else: + conn.ca_cert_dir = cert_loc else: conn.cert_reqs = "CERT_NONE" conn.ca_certs = None