|
 |
ae2451 |
diff -up Python-2.7.5/Lib/ssl.py.cert Python-2.7.5/Lib/ssl.py
|
|
|
ae2451 |
--- Python-2.7.5/Lib/ssl.py.cert 2015-03-30 14:52:12.172241615 +0200
|
|
|
ae2451 |
+++ Python-2.7.5/Lib/ssl.py 2015-03-30 15:16:49.168185354 +0200
|
|
|
ae2451 |
@@ -466,8 +466,27 @@ def _create_unverified_context(protocol=
|
|
|
ae2451 |
|
|
|
ae2451 |
return context
|
|
|
ae2451 |
|
|
|
ae2451 |
+_cert_verification_config = '/etc/python/cert-verification.cfg'
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+def _get_verify_status(protocol):
|
|
|
ae2451 |
+ context_factory = {
|
|
|
ae2451 |
+ 'platform_default': _create_unverified_context,
|
|
|
ae2451 |
+ 'enable': create_default_context,
|
|
|
ae2451 |
+ 'disable': _create_unverified_context
|
|
|
ae2451 |
+ }
|
|
|
ae2451 |
+ import ConfigParser
|
|
|
ae2451 |
+ try:
|
|
|
ae2451 |
+ config = ConfigParser.RawConfigParser()
|
|
|
ae2451 |
+ config.read(_cert_verification_config)
|
|
|
ae2451 |
+ status = config.get(protocol, 'verify')
|
|
|
ae2451 |
+ except (ConfigParser.NoSectionError, ConfigParser.NoOptionError):
|
|
|
ae2451 |
+ status = 'platform_default'
|
|
|
ae2451 |
+ default = context_factory.get('platform_default')
|
|
|
ae2451 |
+ return context_factory.get(status, default)
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+
|
|
|
ae2451 |
# Used by http.client if no context is explicitly passed.
|
|
|
ae2451 |
-_create_default_https_context = create_default_context
|
|
|
ae2451 |
+_create_default_https_context = _get_verify_status('https')
|
|
|
ae2451 |
|
|
|
ae2451 |
|
|
|
ae2451 |
# Backwards compatibility alias, even though it's not a public name.
|
|
|
ae2451 |
diff -up Python-2.7.5/Lib/test/test_httplib.py.cert Python-2.7.5/Lib/test/test_httplib.py
|
|
|
ae2451 |
--- Python-2.7.5/Lib/test/test_httplib.py.cert 2015-03-30 16:45:30.738794461 +0200
|
|
|
ae2451 |
+++ Python-2.7.5/Lib/test/test_httplib.py 2015-03-30 16:54:48.065062351 +0200
|
|
|
ae2451 |
@@ -516,12 +516,24 @@ class HTTPSTest(TestCase):
|
|
|
ae2451 |
h = httplib.HTTPSConnection(HOST, TimeoutTest.PORT, timeout=30)
|
|
|
ae2451 |
self.assertEqual(h.timeout, 30)
|
|
|
ae2451 |
|
|
|
ae2451 |
+ def test_networked_default(self):
|
|
|
ae2451 |
+ # specific to RHEL
|
|
|
ae2451 |
+ # Default settings: doesnt requires a valid cert from a trusted CA
|
|
|
ae2451 |
+ test_support.requires('network')
|
|
|
ae2451 |
+ with test_support.transient_internet('self-signed.pythontest.net'):
|
|
|
ae2451 |
+ h = httplib.HTTPSConnection('self-signed.pythontest.net', 443)
|
|
|
ae2451 |
+ h.request('GET', '/')
|
|
|
ae2451 |
+ resp = h.getresponse()
|
|
|
ae2451 |
+ self.assertIn('nginx', resp.getheader('server'))
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+ # We have to pass safe context to test cert verification
|
|
|
ae2451 |
+ # RHEL by default disable cert verification
|
|
|
ae2451 |
def test_networked(self):
|
|
|
ae2451 |
- # Default settings: requires a valid cert from a trusted CA
|
|
|
ae2451 |
import ssl
|
|
|
ae2451 |
test_support.requires('network')
|
|
|
ae2451 |
with test_support.transient_internet('self-signed.pythontest.net'):
|
|
|
ae2451 |
- h = httplib.HTTPSConnection('self-signed.pythontest.net', 443)
|
|
|
ae2451 |
+ context = ssl.create_default_context()
|
|
|
ae2451 |
+ h = httplib.HTTPSConnection('self-signed.pythontest.net', 443, context=context)
|
|
|
ae2451 |
with self.assertRaises(ssl.SSLError) as exc_info:
|
|
|
ae2451 |
h.request('GET', '/')
|
|
|
ae2451 |
self.assertEqual(exc_info.exception.reason, 'CERTIFICATE_VERIFY_FAILED')
|
|
|
ae2451 |
@@ -542,8 +554,10 @@ class HTTPSTest(TestCase):
|
|
|
ae2451 |
def test_networked_trusted_by_default_cert(self):
|
|
|
ae2451 |
# Default settings: requires a valid cert from a trusted CA
|
|
|
ae2451 |
test_support.requires('network')
|
|
|
ae2451 |
+ import ssl
|
|
|
ae2451 |
with test_support.transient_internet('www.python.org'):
|
|
|
ae2451 |
- h = httplib.HTTPSConnection('www.python.org', 443)
|
|
|
ae2451 |
+ context = ssl.create_default_context()
|
|
|
ae2451 |
+ h = httplib.HTTPSConnection('www.python.org', 443, context=context)
|
|
|
ae2451 |
h.request('GET', '/')
|
|
|
ae2451 |
resp = h.getresponse()
|
|
|
ae2451 |
content_type = resp.getheader('content-type')
|
|
|
ae2451 |
@@ -579,7 +592,8 @@ class HTTPSTest(TestCase):
|
|
|
ae2451 |
# The custom cert isn't known to the default trust bundle
|
|
|
ae2451 |
import ssl
|
|
|
ae2451 |
server = self.make_server(CERT_localhost)
|
|
|
ae2451 |
- h = httplib.HTTPSConnection('localhost', server.port)
|
|
|
ae2451 |
+ context = ssl.create_default_context()
|
|
|
ae2451 |
+ h = httplib.HTTPSConnection('localhost', server.port, context=context)
|
|
|
ae2451 |
with self.assertRaises(ssl.SSLError) as exc_info:
|
|
|
ae2451 |
h.request('GET', '/')
|
|
|
ae2451 |
self.assertEqual(exc_info.exception.reason, 'CERTIFICATE_VERIFY_FAILED')
|
|
|
ae2451 |
@@ -624,6 +638,9 @@ class HTTPSTest(TestCase):
|
|
|
ae2451 |
for hp in ("www.python.org:abc", "user:password@www.python.org"):
|
|
|
ae2451 |
self.assertRaises(httplib.InvalidURL, httplib.HTTPSConnection, hp)
|
|
|
ae2451 |
|
|
|
ae2451 |
+ import ssl
|
|
|
ae2451 |
+ context = ssl.create_default_context()
|
|
|
ae2451 |
+
|
|
|
ae2451 |
for hp, h, p in (("[fe80::207:e9ff:fe9b]:8000",
|
|
|
ae2451 |
"fe80::207:e9ff:fe9b", 8000),
|
|
|
ae2451 |
("www.python.org:443", "www.python.org", 443),
|
|
|
ae2451 |
@@ -632,7 +648,7 @@ class HTTPSTest(TestCase):
|
|
|
ae2451 |
("[fe80::207:e9ff:fe9b]", "fe80::207:e9ff:fe9b", 443),
|
|
|
ae2451 |
("[fe80::207:e9ff:fe9b]:", "fe80::207:e9ff:fe9b",
|
|
|
ae2451 |
443)):
|
|
|
ae2451 |
- c = httplib.HTTPSConnection(hp)
|
|
|
ae2451 |
+ c = httplib.HTTPSConnection(hp, context=context)
|
|
|
ae2451 |
self.assertEqual(h, c.host)
|
|
|
ae2451 |
self.assertEqual(p, c.port)
|
|
|
ae2451 |
|