110 lines
4.0 KiB
Diff
110 lines
4.0 KiB
Diff
From d520f46f94d0e637d440c6c0d55aa49240e2d46a Mon Sep 17 00:00:00 2001
|
|
From: Nate Prewitt <nate.prewitt@gmail.com>
|
|
Date: Thu, 18 Jul 2024 09:51:10 -0700
|
|
Subject: [PATCH] Revert caching a default SSLContext
|
|
|
|
---
|
|
src/requests/adapters.py | 55 ++++++++++++----------------------------
|
|
1 file changed, 16 insertions(+), 39 deletions(-)
|
|
|
|
Index: requests-2.32.4/src/requests/adapters.py
|
|
===================================================================
|
|
--- requests-2.32.4.orig/src/requests/adapters.py
|
|
+++ requests-2.32.4/src/requests/adapters.py
|
|
@@ -27,7 +27,6 @@ from urllib3.poolmanager import PoolMana
|
|
from urllib3.util import Timeout as TimeoutSauce
|
|
from urllib3.util import parse_url
|
|
from urllib3.util.retry import Retry
|
|
-from urllib3.util.ssl_ import create_urllib3_context
|
|
|
|
from .auth import _basic_auth_str
|
|
from .compat import basestring, urlparse
|
|
@@ -74,36 +73,6 @@ DEFAULT_RETRIES = 0
|
|
DEFAULT_POOL_TIMEOUT = None
|
|
|
|
|
|
-try:
|
|
- import ssl # noqa: F401
|
|
-
|
|
- _preloaded_ssl_context = create_urllib3_context()
|
|
- _preloaded_ssl_context.load_verify_locations(
|
|
- extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
|
|
- )
|
|
-except ImportError:
|
|
- # Bypass default SSLContext creation when Python
|
|
- # interpreter isn't built with the ssl module.
|
|
- _preloaded_ssl_context = None
|
|
-
|
|
-
|
|
-def _should_use_default_context(
|
|
- verify: "bool | str | None",
|
|
- client_cert: "typing.Tuple[str, str] | str | None",
|
|
- poolmanager_kwargs: typing.Dict[str, typing.Any],
|
|
-) -> bool:
|
|
- # Determine if we have and should use our default SSLContext
|
|
- # to optimize performance on standard requests.
|
|
- has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
|
|
- should_use_default_ssl_context = (
|
|
- verify is True
|
|
- and _preloaded_ssl_context is not None
|
|
- and not has_poolmanager_ssl_context
|
|
- and client_cert is None
|
|
- )
|
|
- return should_use_default_ssl_context
|
|
-
|
|
-
|
|
def _urllib3_request_context(
|
|
request: "PreparedRequest",
|
|
verify: "bool | str | None",
|
|
@@ -121,8 +90,6 @@ def _urllib3_request_context(
|
|
cert_loc = None
|
|
if verify is False:
|
|
cert_reqs = "CERT_NONE"
|
|
- elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
|
|
- pool_kwargs["ssl_context"] = _preloaded_ssl_context
|
|
elif verify is True:
|
|
# Set default ca cert location if none provided
|
|
cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
|
|
@@ -332,24 +299,27 @@ class HTTPAdapter(BaseAdapter):
|
|
:param cert: The SSL certificate to verify.
|
|
"""
|
|
if url.lower().startswith("https") and verify:
|
|
- conn.cert_reqs = "CERT_REQUIRED"
|
|
+ cert_loc = None
|
|
|
|
- # Only load the CA certificates if `verify` is a
|
|
- # string indicating the CA bundle to use.
|
|
+ # Allow self-specified cert location.
|
|
if verify is not True:
|
|
- # `verify` must be a str with a path then
|
|
cert_loc = verify
|
|
|
|
- if not os.path.exists(cert_loc):
|
|
- raise OSError(
|
|
- f"Could not find a suitable TLS CA certificate bundle, "
|
|
- f"invalid path: {cert_loc}"
|
|
- )
|
|
-
|
|
- if not os.path.isdir(cert_loc):
|
|
- conn.ca_certs = cert_loc
|
|
- else:
|
|
- conn.ca_cert_dir = cert_loc
|
|
+ if not cert_loc:
|
|
+ cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
|
|
+
|
|
+ if not cert_loc or not os.path.exists(cert_loc):
|
|
+ raise OSError(
|
|
+ f"Could not find a suitable TLS CA certificate bundle, "
|
|
+ f"invalid path: {cert_loc}"
|
|
+ )
|
|
+
|
|
+ conn.cert_reqs = "CERT_REQUIRED"
|
|
+
|
|
+ if not os.path.isdir(cert_loc):
|
|
+ conn.ca_certs = cert_loc
|
|
+ else:
|
|
+ conn.ca_cert_dir = cert_loc
|
|
else:
|
|
conn.cert_reqs = "CERT_NONE"
|
|
conn.ca_certs = None
|