From 20da4f756f941f0d6e6ba37ddb954d6893bf50819d0da6a9ffeaa445b7a0a274 Mon Sep 17 00:00:00 2001 From: Daniel Garcia Date: Mon, 14 Jul 2025 09:35:54 +0000 Subject: [PATCH] - Add revert-caching-default-sslcontext.patch upstream patch to avoid problems with certificate caching in sslcontext. bsc#1246104, gh#psf/requests#6767 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-requests?expand=0&rev=197 --- python-requests.changes | 7 ++ python-requests.spec | 2 + revert-caching-default-sslcontext.patch | 109 ++++++++++++++++++++++++ 3 files changed, 118 insertions(+) create mode 100644 revert-caching-default-sslcontext.patch diff --git a/python-requests.changes b/python-requests.changes index f303c81..64ab3bb 100644 --- a/python-requests.changes +++ b/python-requests.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Jul 14 09:20:12 UTC 2025 - Daniel Garcia + +- Add revert-caching-default-sslcontext.patch upstream patch to avoid + problems with certificate caching in sslcontext. + bsc#1246104, gh#psf/requests#6767 + ------------------------------------------------------------------- Tue Jun 10 09:42:31 UTC 2025 - Dirk Müller diff --git a/python-requests.spec b/python-requests.spec index 8e55f2f..6c038f9 100644 --- a/python-requests.spec +++ b/python-requests.spec @@ -34,6 +34,8 @@ URL: https://docs.python-requests.org/ Source: https://files.pythonhosted.org/packages/source/r/requests/requests-%{version}.tar.gz # PATCH-FIX-UPSTREAM gh#psf/requests#6731 Patch0: inject-default-ca-bundles.patch +# PATCH-FIX-UPSTREAM revert-caching-default-sslcontext.patch gh#psf/requests#6767 +Patch1: revert-caching-default-sslcontext.patch BuildRequires: %{python_module base >= 3.7} BuildRequires: %{python_module pip} BuildRequires: %{python_module setuptools} diff --git a/revert-caching-default-sslcontext.patch b/revert-caching-default-sslcontext.patch new file mode 100644 index 0000000..f12aa4c --- /dev/null +++ b/revert-caching-default-sslcontext.patch @@ -0,0 +1,109 @@ +From d520f46f94d0e637d440c6c0d55aa49240e2d46a Mon Sep 17 00:00:00 2001 +From: Nate Prewitt +Date: Thu, 18 Jul 2024 09:51:10 -0700 +Subject: [PATCH] Revert caching a default SSLContext + +--- + src/requests/adapters.py | 55 ++++++++++++---------------------------- + 1 file changed, 16 insertions(+), 39 deletions(-) + +Index: requests-2.32.4/src/requests/adapters.py +=================================================================== +--- requests-2.32.4.orig/src/requests/adapters.py ++++ requests-2.32.4/src/requests/adapters.py +@@ -27,7 +27,6 @@ from urllib3.poolmanager import PoolMana + from urllib3.util import Timeout as TimeoutSauce + from urllib3.util import parse_url + from urllib3.util.retry import Retry +-from urllib3.util.ssl_ import create_urllib3_context + + from .auth import _basic_auth_str + from .compat import basestring, urlparse +@@ -74,36 +73,6 @@ DEFAULT_RETRIES = 0 + DEFAULT_POOL_TIMEOUT = None + + +-try: +- import ssl # noqa: F401 +- +- _preloaded_ssl_context = create_urllib3_context() +- _preloaded_ssl_context.load_verify_locations( +- extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH) +- ) +-except ImportError: +- # Bypass default SSLContext creation when Python +- # interpreter isn't built with the ssl module. +- _preloaded_ssl_context = None +- +- +-def _should_use_default_context( +- verify: "bool | str | None", +- client_cert: "typing.Tuple[str, str] | str | None", +- poolmanager_kwargs: typing.Dict[str, typing.Any], +-) -> bool: +- # Determine if we have and should use our default SSLContext +- # to optimize performance on standard requests. +- has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context") +- should_use_default_ssl_context = ( +- verify is True +- and _preloaded_ssl_context is not None +- and not has_poolmanager_ssl_context +- and client_cert is None +- ) +- return should_use_default_ssl_context +- +- + def _urllib3_request_context( + request: "PreparedRequest", + verify: "bool | str | None", +@@ -121,8 +90,6 @@ def _urllib3_request_context( + cert_loc = None + if verify is False: + cert_reqs = "CERT_NONE" +- elif _should_use_default_context(verify, client_cert, poolmanager_kwargs): +- pool_kwargs["ssl_context"] = _preloaded_ssl_context + elif verify is True: + # Set default ca cert location if none provided + cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH) +@@ -332,24 +299,27 @@ class HTTPAdapter(BaseAdapter): + :param cert: The SSL certificate to verify. + """ + if url.lower().startswith("https") and verify: +- conn.cert_reqs = "CERT_REQUIRED" ++ cert_loc = None + +- # Only load the CA certificates if `verify` is a +- # string indicating the CA bundle to use. ++ # Allow self-specified cert location. + if verify is not True: +- # `verify` must be a str with a path then + cert_loc = verify + +- if not os.path.exists(cert_loc): +- raise OSError( +- f"Could not find a suitable TLS CA certificate bundle, " +- f"invalid path: {cert_loc}" +- ) +- +- if not os.path.isdir(cert_loc): +- conn.ca_certs = cert_loc +- else: +- conn.ca_cert_dir = cert_loc ++ if not cert_loc: ++ cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH) ++ ++ if not cert_loc or not os.path.exists(cert_loc): ++ raise OSError( ++ f"Could not find a suitable TLS CA certificate bundle, " ++ f"invalid path: {cert_loc}" ++ ) ++ ++ conn.cert_reqs = "CERT_REQUIRED" ++ ++ if not os.path.isdir(cert_loc): ++ conn.ca_certs = cert_loc ++ else: ++ conn.ca_cert_dir = cert_loc + else: + conn.cert_reqs = "CERT_NONE" + conn.ca_certs = None