File revert-caching-default-sslcontext.patch of Package python-requests
From d520f46f94d0e637d440c6c0d55aa49240e2d46a Mon Sep 17 00:00:00 2001
From: Nate Prewitt <nate.prewitt@gmail.com>
Date: Thu, 18 Jul 2024 09:51:10 -0700
Subject: [PATCH] Revert caching a default SSLContext
---
src/requests/adapters.py | 55 ++++++++++++----------------------------
1 file changed, 16 insertions(+), 39 deletions(-)
Index: requests-2.32.4/src/requests/adapters.py
===================================================================
--- requests-2.32.4.orig/src/requests/adapters.py
+++ requests-2.32.4/src/requests/adapters.py
@@ -27,7 +27,6 @@ from urllib3.poolmanager import PoolMana
from urllib3.util import Timeout as TimeoutSauce
from urllib3.util import parse_url
from urllib3.util.retry import Retry
-from urllib3.util.ssl_ import create_urllib3_context
from .auth import _basic_auth_str
from .compat import basestring, urlparse
@@ -74,36 +73,6 @@ DEFAULT_RETRIES = 0
DEFAULT_POOL_TIMEOUT = None
-try:
- import ssl # noqa: F401
-
- _preloaded_ssl_context = create_urllib3_context()
- _preloaded_ssl_context.load_verify_locations(
- extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
- )
-except ImportError:
- # Bypass default SSLContext creation when Python
- # interpreter isn't built with the ssl module.
- _preloaded_ssl_context = None
-
-
-def _should_use_default_context(
- verify: "bool | str | None",
- client_cert: "typing.Tuple[str, str] | str | None",
- poolmanager_kwargs: typing.Dict[str, typing.Any],
-) -> bool:
- # Determine if we have and should use our default SSLContext
- # to optimize performance on standard requests.
- has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
- should_use_default_ssl_context = (
- verify is True
- and _preloaded_ssl_context is not None
- and not has_poolmanager_ssl_context
- and client_cert is None
- )
- return should_use_default_ssl_context
-
-
def _urllib3_request_context(
request: "PreparedRequest",
verify: "bool | str | None",
@@ -121,8 +90,6 @@ def _urllib3_request_context(
cert_loc = None
if verify is False:
cert_reqs = "CERT_NONE"
- elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
- pool_kwargs["ssl_context"] = _preloaded_ssl_context
elif verify is True:
# Set default ca cert location if none provided
cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
@@ -332,24 +299,27 @@ class HTTPAdapter(BaseAdapter):
:param cert: The SSL certificate to verify.
"""
if url.lower().startswith("https") and verify:
- conn.cert_reqs = "CERT_REQUIRED"
+ cert_loc = None
- # Only load the CA certificates if `verify` is a
- # string indicating the CA bundle to use.
+ # Allow self-specified cert location.
if verify is not True:
- # `verify` must be a str with a path then
cert_loc = verify
- if not os.path.exists(cert_loc):
- raise OSError(
- f"Could not find a suitable TLS CA certificate bundle, "
- f"invalid path: {cert_loc}"
- )
-
- if not os.path.isdir(cert_loc):
- conn.ca_certs = cert_loc
- else:
- conn.ca_cert_dir = cert_loc
+ if not cert_loc:
+ cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
+
+ if not cert_loc or not os.path.exists(cert_loc):
+ raise OSError(
+ f"Could not find a suitable TLS CA certificate bundle, "
+ f"invalid path: {cert_loc}"
+ )
+
+ conn.cert_reqs = "CERT_REQUIRED"
+
+ if not os.path.isdir(cert_loc):
+ conn.ca_certs = cert_loc
+ else:
+ conn.ca_cert_dir = cert_loc
else:
conn.cert_reqs = "CERT_NONE"
conn.ca_certs = None
