- Add revert-caching-default-sslcontext.patch upstream patch to avoid

problems with certificate caching in sslcontext. bsc#1246104, gh#psf/requests#6767 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-requests?expand=0&rev=197
2025-07-14 09:35:54 +00:00
parent 41e3c95e3c
commit 20da4f756f
3 changed files with 118 additions and 0 deletions
--- a/python-requests.changes
+++ b/python-requests.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Jul 14 09:20:12 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add revert-caching-default-sslcontext.patch upstream patch to avoid
+  problems with certificate caching in sslcontext.
+  bsc#1246104, gh#psf/requests#6767
+
 -------------------------------------------------------------------
 Tue Jun 10 09:42:31 UTC 2025 - Dirk Müller <dmueller@suse.com>

--- a/python-requests.spec
+++ b/python-requests.spec
@@ -34,6 +34,8 @@ URL:            https://docs.python-requests.org/
 Source:         https://files.pythonhosted.org/packages/source/r/requests/requests-%{version}.tar.gz
 # PATCH-FIX-UPSTREAM gh#psf/requests#6731
 Patch0:         inject-default-ca-bundles.patch
+# PATCH-FIX-UPSTREAM revert-caching-default-sslcontext.patch gh#psf/requests#6767
+Patch1:         revert-caching-default-sslcontext.patch
 BuildRequires:  %{python_module base >= 3.7}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
--- a/revert-caching-default-sslcontext.patch
+++ b/revert-caching-default-sslcontext.patch
@@ -0,0 +1,109 @@
+From d520f46f94d0e637d440c6c0d55aa49240e2d46a Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Thu, 18 Jul 2024 09:51:10 -0700
+Subject: [PATCH] Revert caching a default SSLContext
+
+---
+ src/requests/adapters.py | 55 ++++++++++++----------------------------
+ 1 file changed, 16 insertions(+), 39 deletions(-)
+
+Index: requests-2.32.4/src/requests/adapters.py
+===================================================================
+--- requests-2.32.4.orig/src/requests/adapters.py
+++ requests-2.32.4/src/requests/adapters.py
+@@ -27,7 +27,6 @@ from urllib3.poolmanager import PoolMana
+ from urllib3.util import Timeout as TimeoutSauce
+ from urllib3.util import parse_url
+ from urllib3.util.retry import Retry
+-from urllib3.util.ssl_ import create_urllib3_context
+ 
+ from .auth import _basic_auth_str
+ from .compat import basestring, urlparse
+@@ -74,36 +73,6 @@ DEFAULT_RETRIES = 0
+ DEFAULT_POOL_TIMEOUT = None
+ 
+ 
+-try:
+-    import ssl  # noqa: F401
+-
+-    _preloaded_ssl_context = create_urllib3_context()
+-    _preloaded_ssl_context.load_verify_locations(
+-        extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
+-    )
+-except ImportError:
+-    # Bypass default SSLContext creation when Python
+-    # interpreter isn't built with the ssl module.
+-    _preloaded_ssl_context = None
+-
+-
+-def _should_use_default_context(
+-    verify: "bool | str | None",
+-    client_cert: "typing.Tuple[str, str] | str | None",
+-    poolmanager_kwargs: typing.Dict[str, typing.Any],
+-) -> bool:
+-    # Determine if we have and should use our default SSLContext
+-    # to optimize performance on standard requests.
+-    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
+-    should_use_default_ssl_context = (
+-        verify is True
+-        and _preloaded_ssl_context is not None
+-        and not has_poolmanager_ssl_context
+-        and client_cert is None
+-    )
+-    return should_use_default_ssl_context
+-
+-
+ def _urllib3_request_context(
+     request: "PreparedRequest",
+     verify: "bool | str | None",
+@@ -121,8 +90,6 @@ def _urllib3_request_context(
+     cert_loc = None
+     if verify is False:
+         cert_reqs = "CERT_NONE"
+-    elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
+-        pool_kwargs["ssl_context"] = _preloaded_ssl_context
+     elif verify is True:
+         # Set default ca cert location if none provided
+         cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
+@@ -332,24 +299,27 @@ class HTTPAdapter(BaseAdapter):
+         :param cert: The SSL certificate to verify.
+         """
+         if url.lower().startswith("https") and verify:
+-            conn.cert_reqs = "CERT_REQUIRED"
+            cert_loc = None
+ 
+-            # Only load the CA certificates if `verify` is a
+-            # string indicating the CA bundle to use.
+            # Allow self-specified cert location.
+             if verify is not True:
+-                # `verify` must be a str with a path then
+                 cert_loc = verify
+ 
+-                if not os.path.exists(cert_loc):
+-                    raise OSError(
+-                        f"Could not find a suitable TLS CA certificate bundle, "
+-                        f"invalid path: {cert_loc}"
+-                    )
+-
+-                if not os.path.isdir(cert_loc):
+-                    conn.ca_certs = cert_loc
+-                else:
+-                    conn.ca_cert_dir = cert_loc
+            if not cert_loc:
+                cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
+
+            if not cert_loc or not os.path.exists(cert_loc):
+                raise OSError(
+                    f"Could not find a suitable TLS CA certificate bundle, "
+                    f"invalid path: {cert_loc}"
+                )
+
+            conn.cert_reqs = "CERT_REQUIRED"
+
+            if not os.path.isdir(cert_loc):
+                conn.ca_certs = cert_loc
+            else:
+                conn.ca_cert_dir = cert_loc
+         else:
+             conn.cert_reqs = "CERT_NONE"
+             conn.ca_certs = None