Overview

File python-2.7.9-sles-disable-verification-by-default.patch of Package python.12554

Index: Python-2.7.13/Lib/ssl.py
===================================================================
--- Python-2.7.13.orig/Lib/ssl.py
+++ Python-2.7.13/Lib/ssl.py
@@ -502,14 +502,26 @@ _create_stdlib_context = _create_unverif
 # PEP 493: Verify HTTPS by default, but allow envvar to override that
 _https_verify_envvar = 'PYTHONHTTPSVERIFY'
 
-def _get_https_context_factory():
+def _get_https_context_factory(default_enabled=True):
+    envvar_values = { '1': create_default_context, '0': _create_unverified_context }
+    envvar = default_enabled and '1' or '0'
     if not sys.flags.ignore_environment:
-        config_setting = os.environ.get(_https_verify_envvar)
-        if config_setting == '0':
-            return _create_unverified_context
-    return create_default_context
+        envvar = os.environ.get(_https_verify_envvar, envvar)
 
-_create_default_https_context = _get_https_context_factory()
+    return envvar_values.get(envvar, create_default_context)
+
+try:
+    # load the TLS checks policy from separate package
+    import sle_tls_checks_policy as policy
+    if policy.get_policy:
+        _create_default_https_context = policy.get_policy()
+    else:
+        # empty policy file means use upstream config
+        _create_default_https_context = _get_https_context_factory(default_enabled=True)
+
+except ImportError:
+    # policy not present, disable verification for backwards compatibility
+    _create_default_https_context = _get_https_context_factory(default_enabled=False)
 
 # PEP 493: "private" API to configure HTTPS defaults without monkeypatching
 def _https_verify_certificates(enable=True):
Index: Python-2.7.13/Lib/test/test_ssl.py
===================================================================
--- Python-2.7.13.orig/Lib/test/test_ssl.py
+++ Python-2.7.13/Lib/test/test_ssl.py
@@ -1210,8 +1210,8 @@ class ContextTests(unittest.TestCase):
         # Uses a fresh SSL module to avoid affecting the real one
         local_ssl = support.import_fresh_module("ssl")
         # Certificate verification is enabled by default
-        self.assertIs(local_ssl._create_default_https_context,
-                      local_ssl.create_default_context)
+        self.assertTrue(local_ssl._create_default_https_context is local_ssl.create_default_context
+                     or local_ssl._create_default_https_context is ssl.create_default_context)
         # Turn default verification off
         local_ssl._https_verify_certificates(enable=False)
         self.assertIs(local_ssl._create_default_https_context,
openSUSE Build Service is sponsored by
Places