From 0f6946c0d70265dd61301608055cf092e61e10a2fffdba9f8304c11ad410d7f3 Mon Sep 17 00:00:00 2001 From: Robert Schweikert Date: Tue, 15 Mar 2016 20:09:49 +0000 Subject: [PATCH] Accepting request 373395 from home:matejcik:requests-mess - update no-default-cacert.patch to simply pass empty CA path - urllib3-ssl-default-context.patch: patch bundled urllib3 to behave correctly with regard to empty CA path passed - change urllib3 fallback requirements to Recommends - use ca-certificates in SLE as well - recommend ca-certificates-mozilla to have a basic certificate set OBS-URL: https://build.opensuse.org/request/show/373395 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-requests?expand=0&rev=87 --- no-default-cacert.patch | 37 ++++++++++++++++++++++--------- python-requests.changes | 10 +++++++++ python-requests.spec | 22 ++++++++++++------ urllib3-ssl-default-context.patch | 13 +++++++++++ 4 files changed, 65 insertions(+), 17 deletions(-) create mode 100644 urllib3-ssl-default-context.patch diff --git a/no-default-cacert.patch b/no-default-cacert.patch index f543168..9991f33 100644 --- a/no-default-cacert.patch +++ b/no-default-cacert.patch @@ -1,22 +1,39 @@ ---- a/MANIFEST.in -+++ b/MANIFEST.in +Index: requests-2.9.1/MANIFEST.in +=================================================================== +--- requests-2.9.1.orig/MANIFEST.in ++++ requests-2.9.1/MANIFEST.in @@ -1 +1 @@ -include README.rst LICENSE NOTICE HISTORY.rst test_requests.py requirements.txt requests/cacert.pem +include README.rst LICENSE NOTICE HISTORY.rst test_requests.py requirements.txt ---- a/requests/adapters.py -+++ b/requests/adapters.py -@@ -182,9 +182,6 @@ class HTTPAdapter(BaseAdapter): - if not cert_loc: - cert_loc = DEFAULT_CA_BUNDLE_PATH +Index: requests-2.9.1/requests/adapters.py +=================================================================== +--- requests-2.9.1.orig/requests/adapters.py ++++ requests-2.9.1/requests/adapters.py +@@ -179,15 +179,13 @@ class HTTPAdapter(BaseAdapter): + if verify is not True: + cert_loc = verify +- if not cert_loc: +- cert_loc = DEFAULT_CA_BUNDLE_PATH +- - if not cert_loc: - raise Exception("Could not find a suitable SSL CA certificate bundle.") - conn.cert_reqs = 'CERT_REQUIRED' - if not os.path.isdir(cert_loc): ---- a/requests/certs.py -+++ b/requests/certs.py +- if not os.path.isdir(cert_loc): ++ if cert_loc is None: ++ # use default context ++ conn.ca_certs = None ++ conn.ca_cert_dir = None ++ elif not os.path.isdir(cert_loc): + conn.ca_certs = cert_loc + else: + conn.ca_cert_dir = cert_loc +Index: requests-2.9.1/requests/certs.py +=================================================================== +--- requests-2.9.1.orig/requests/certs.py ++++ requests-2.9.1/requests/certs.py @@ -18,8 +18,9 @@ try: except ImportError: def where(): diff --git a/python-requests.changes b/python-requests.changes index d353d7a..de64e0f 100644 --- a/python-requests.changes +++ b/python-requests.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Tue Mar 1 17:44:11 UTC 2016 - jmatejek@suse.com + +- update no-default-cacert.patch to simply pass empty CA path +- urllib3-ssl-default-context.patch: patch bundled urllib3 to behave + correctly with regard to empty CA path passed +- change urllib3 fallback requirements to Recommends +- use ca-certificates in SLE as well +- recommend ca-certificates-mozilla to have a basic certificate set + ------------------------------------------------------------------- Wed Feb 17 14:47:12 UTC 2016 - sor.alexei@meowr.ru diff --git a/python-requests.spec b/python-requests.spec index a92897c..8af1ed8 100644 --- a/python-requests.spec +++ b/python-requests.spec @@ -29,19 +29,26 @@ Url: http://python-requests.org/ Source: http://pypi.python.org/packages/source/r/requests/requests-%{version}.tar.gz # PATCH-FIX-OPENSUSE no-default-cacert.patch -- Completely ignore the internal CA bundle. Patch0: no-default-cacert.patch +# PATCH-FIX-UPSTREAM update urllib3 to do the proper passthrough to set_default_verify_paths +Patch1: urllib3-ssl-default-context.patch BuildRequires: python BuildRequires: python-devel BuildRequires: python-py BuildRequires: python-setuptools Requires: python -# Really needed? -#Requires: python-ndg-httpsclient -Requires: python-pyOpenSSL -Requires: python-pyasn1 -%if 0%{?suse_version} >= 1120 && !(0%{?suse_version} == 1315 && !0%{?is_opensuse}) +# requirements for pyopenssl fallback of bundled urllib3 +Recommends: python-ndg-httpsclient +Recommends: python-pyOpenSSL +Recommends: python-pyasn1 +%if 0%{?suse_version} <= 1200 +BuildRequires: openssl-certs +Requires: openssl-certs +%else BuildRequires: ca-certificates Requires: ca-certificates %endif +# for good measure, at least recommend an actual set of certificates +Recommends: ca-certificates-mozilla %if 0%{?suse_version} >= 1120 BuildArch: noarch %else @@ -73,10 +80,11 @@ Features: %prep %setup -q -n requests-%{version} -%if 0%{?suse_version} >= 1120 && !(0%{?suse_version} == 1315 && !0%{?is_opensuse}) %patch0 -p1 +pushd requests/packages +%patch1 -p1 +popd rm -f requests/cacert.pem -%endif %build python setup.py build diff --git a/urllib3-ssl-default-context.patch b/urllib3-ssl-default-context.patch new file mode 100644 index 0000000..5745aa9 --- /dev/null +++ b/urllib3-ssl-default-context.patch @@ -0,0 +1,13 @@ +Index: b/urllib3/util/ssl_.py +=================================================================== +--- a/urllib3/util/ssl_.py ++++ b/urllib3/util/ssl_.py +@@ -299,6 +299,8 @@ def ssl_wrap_socket(sock, keyfile=None, + if e.errno == errno.ENOENT: + raise SSLError(e) + raise ++ elif cert_reqs != ssl.CERT_NONE and hasattr(context, 'set_default_verify_paths'): ++ context.set_default_verify_paths() + + if certfile: + context.load_cert_chain(certfile, keyfile)