|
 |
f992f7 |
From 9051b49f652b3d98a3cb1868c8da8281710ddcab Mon Sep 17 00:00:00 2001
|
|
|
f992f7 |
From: Tomas Orsava <torsava@redhat.com>
|
|
|
f992f7 |
Date: Tue, 7 Feb 2017 16:28:29 +0100
|
|
|
f992f7 |
Subject: [PATCH] PEP 493: Re-add file-based configuration of HTTPS
|
|
|
f992f7 |
verification
|
|
|
f992f7 |
|
|
|
f992f7 |
---
|
|
|
f992f7 |
Lib/ssl.py | 28 ++++++++++++++++++++++++----
|
|
|
f992f7 |
1 file changed, 24 insertions(+), 4 deletions(-)
|
|
|
f992f7 |
|
|
|
f992f7 |
diff --git a/Lib/ssl.py b/Lib/ssl.py
|
|
|
f992f7 |
index f28c863..ad5a93a 100644
|
|
|
f992f7 |
--- a/Lib/ssl.py
|
|
|
f992f7 |
+++ b/Lib/ssl.py
|
|
|
f992f7 |
@@ -499,15 +499,35 @@ def _create_unverified_context(protocol=PROTOCOL_TLS, cert_reqs=None,
|
|
|
f992f7 |
# Backwards compatibility alias, even though it's not a public name.
|
|
|
f992f7 |
_create_stdlib_context = _create_unverified_context
|
|
|
f992f7 |
|
|
|
f992f7 |
-# PEP 493: Verify HTTPS by default, but allow envvar to override that
|
|
|
f992f7 |
+# PEP 493: Verify HTTPS by default, but allow envvar or file based
|
|
|
f992f7 |
+# configuration to override that
|
|
|
f992f7 |
_https_verify_envvar = 'PYTHONHTTPSVERIFY'
|
|
|
f992f7 |
+_cert_verification_config = '/opt/rh/python27/root/etc/python/cert-verification.cfg'
|
|
|
f992f7 |
|
|
|
f992f7 |
def _get_https_context_factory():
|
|
|
f992f7 |
+ # Check for an environmental override of the default behaviour
|
|
|
f992f7 |
if not sys.flags.ignore_environment:
|
|
|
f992f7 |
config_setting = os.environ.get(_https_verify_envvar)
|
|
|
f992f7 |
- if config_setting == '0':
|
|
|
f992f7 |
- return _create_unverified_context
|
|
|
f992f7 |
- return create_default_context
|
|
|
f992f7 |
+ if config_setting is not None:
|
|
|
f992f7 |
+ if config_setting == '0':
|
|
|
f992f7 |
+ return _create_unverified_context
|
|
|
f992f7 |
+ return create_default_context
|
|
|
f992f7 |
+
|
|
|
f992f7 |
+ # Check for a system-wide override of the default behaviour
|
|
|
f992f7 |
+ context_factories = {
|
|
|
f992f7 |
+ 'enable': create_default_context,
|
|
|
f992f7 |
+ 'disable': _create_unverified_context,
|
|
|
f992f7 |
+ 'platform_default': create_default_context,
|
|
|
f992f7 |
+ }
|
|
|
f992f7 |
+ import ConfigParser
|
|
|
f992f7 |
+ config = ConfigParser.RawConfigParser()
|
|
|
f992f7 |
+ config.read(_cert_verification_config)
|
|
|
f992f7 |
+ try:
|
|
|
f992f7 |
+ verify_mode = config.get('https', 'verify')
|
|
|
f992f7 |
+ except (ConfigParser.NoSectionError, ConfigParser.NoOptionError):
|
|
|
f992f7 |
+ verify_mode = 'platform_default'
|
|
|
f992f7 |
+ default_factory = context_factories.get('platform_default')
|
|
|
f992f7 |
+ return context_factories.get(verify_mode, default_factory)
|
|
|
f992f7 |
|
|
|
f992f7 |
_create_default_https_context = _get_https_context_factory()
|
|
|
f992f7 |
|
|
|
f992f7 |
--
|
|
|
f992f7 |
2.11.0
|
|
|
f992f7 |
|