diff -up Python-2.7.5/Lib/ssl.py.cert Python-2.7.5/Lib/ssl.py
--- Python-2.7.5/Lib/ssl.py.cert 2015-03-30 14:52:12.172241615 +0200
+++ Python-2.7.5/Lib/ssl.py 2015-03-30 15:16:49.168185354 +0200
@@ -466,8 +466,27 @@ def _create_unverified_context(protocol=
return context
+_cert_verification_config = '/etc/python/cert-verification.cfg'
+
+def _get_verify_status(protocol):
+ context_factory = {
+ 'platform_default': _create_unverified_context,
+ 'enable': create_default_context,
+ 'disable': _create_unverified_context
+ }
+ import ConfigParser
+ try:
+ config = ConfigParser.RawConfigParser()
+ config.read(_cert_verification_config)
+ status = config.get(protocol, 'verify')
+ except (ConfigParser.NoSectionError, ConfigParser.NoOptionError):
+ status = 'platform_default'
+ default = context_factory.get('platform_default')
+ return context_factory.get(status, default)
+
+
# Used by http.client if no context is explicitly passed.
-_create_default_https_context = create_default_context
+_create_default_https_context = _get_verify_status('https')
# Backwards compatibility alias, even though it's not a public name.
diff -up Python-2.7.5/Lib/test/test_httplib.py.cert Python-2.7.5/Lib/test/test_httplib.py
--- Python-2.7.5/Lib/test/test_httplib.py.cert 2015-03-30 16:45:30.738794461 +0200
+++ Python-2.7.5/Lib/test/test_httplib.py 2015-03-30 16:54:48.065062351 +0200
@@ -516,12 +516,24 @@ class HTTPSTest(TestCase):
h = httplib.HTTPSConnection(HOST, TimeoutTest.PORT, timeout=30)
self.assertEqual(h.timeout, 30)
+ def test_networked_default(self):
+ # specific to RHEL
+ # Default settings: doesnt requires a valid cert from a trusted CA
+ test_support.requires('network')
+ with test_support.transient_internet('self-signed.pythontest.net'):
+ h = httplib.HTTPSConnection('self-signed.pythontest.net', 443)
+ h.request('GET', '/')
+ resp = h.getresponse()
+ self.assertIn('nginx', resp.getheader('server'))
+
+ # We have to pass safe context to test cert verification
+ # RHEL by default disable cert verification
def test_networked(self):
- # Default settings: requires a valid cert from a trusted CA
import ssl
test_support.requires('network')
with test_support.transient_internet('self-signed.pythontest.net'):
- h = httplib.HTTPSConnection('self-signed.pythontest.net', 443)
+ context = ssl.create_default_context()
+ h = httplib.HTTPSConnection('self-signed.pythontest.net', 443, context=context)
with self.assertRaises(ssl.SSLError) as exc_info:
h.request('GET', '/')
self.assertEqual(exc_info.exception.reason, 'CERTIFICATE_VERIFY_FAILED')
@@ -542,8 +554,10 @@ class HTTPSTest(TestCase):
def test_networked_trusted_by_default_cert(self):
# Default settings: requires a valid cert from a trusted CA
test_support.requires('network')
+ import ssl
with test_support.transient_internet('www.python.org'):
- h = httplib.HTTPSConnection('www.python.org', 443)
+ context = ssl.create_default_context()
+ h = httplib.HTTPSConnection('www.python.org', 443, context=context)
h.request('GET', '/')
resp = h.getresponse()
content_type = resp.getheader('content-type')
@@ -579,7 +592,8 @@ class HTTPSTest(TestCase):
# The custom cert isn't known to the default trust bundle
import ssl
server = self.make_server(CERT_localhost)
- h = httplib.HTTPSConnection('localhost', server.port)
+ context = ssl.create_default_context()
+ h = httplib.HTTPSConnection('localhost', server.port, context=context)
with self.assertRaises(ssl.SSLError) as exc_info:
h.request('GET', '/')
self.assertEqual(exc_info.exception.reason, 'CERTIFICATE_VERIFY_FAILED')
@@ -624,6 +638,9 @@ class HTTPSTest(TestCase):
for hp in ("www.python.org:abc", "user:password@www.python.org"):
self.assertRaises(httplib.InvalidURL, httplib.HTTPSConnection, hp)
+ import ssl
+ context = ssl.create_default_context()
+
for hp, h, p in (("[fe80::207:e9ff:fe9b]:8000",
"fe80::207:e9ff:fe9b", 8000),
("www.python.org:443", "www.python.org", 443),
@@ -632,7 +648,7 @@ class HTTPSTest(TestCase):
("[fe80::207:e9ff:fe9b]", "fe80::207:e9ff:fe9b", 443),
("[fe80::207:e9ff:fe9b]:", "fe80::207:e9ff:fe9b",
443)):
- c = httplib.HTTPSConnection(hp)
+ c = httplib.HTTPSConnection(hp, context=context)
self.assertEqual(h, c.host)
self.assertEqual(p, c.port)