From af66521381d9e6806ca80b7e297b704e6a4966c9 Mon Sep 17 00:00:00 2001 From: Jonas Laursen Date: Wed, 17 May 2017 07:29:21 -0700 Subject: [PATCH 1/2] Fix #4025 --- requests/adapters.py | 62 +++++++++++++++++++++--------------------- tests/test_requests.py | 4 +++ 2 files changed, 35 insertions(+), 31 deletions(-) diff --git a/requests/adapters.py b/requests/adapters.py index fd46325a..c4403985 100644 --- a/requests/adapters.py +++ b/requests/adapters.py @@ -209,44 +209,44 @@ class HTTPAdapter(BaseAdapter): to a CA bundle to use :param cert: The SSL certificate to verify. """ - if url.lower().startswith('https') and verify: + if url.lower().startswith('https'): + if verify: + cert_loc = None - cert_loc = None + # Allow self-specified cert location. + if verify is not True: + cert_loc = verify - # Allow self-specified cert location. - if verify is not True: - cert_loc = verify + if not cert_loc: + cert_loc = DEFAULT_CA_BUNDLE_PATH - if not cert_loc: - cert_loc = DEFAULT_CA_BUNDLE_PATH + if not cert_loc or not os.path.exists(cert_loc): + raise IOError("Could not find a suitable TLS CA certificate bundle, " + "invalid path: {0}".format(cert_loc)) - if not cert_loc or not os.path.exists(cert_loc): - raise IOError("Could not find a suitable TLS CA certificate bundle, " - "invalid path: {0}".format(cert_loc)) + conn.cert_reqs = 'CERT_REQUIRED' - conn.cert_reqs = 'CERT_REQUIRED' - - if not os.path.isdir(cert_loc): - conn.ca_certs = cert_loc + if not os.path.isdir(cert_loc): + conn.ca_certs = cert_loc + else: + conn.ca_cert_dir = cert_loc else: - conn.ca_cert_dir = cert_loc - else: - conn.cert_reqs = 'CERT_NONE' - conn.ca_certs = None - conn.ca_cert_dir = None + conn.cert_reqs = 'CERT_NONE' + conn.ca_certs = None + conn.ca_cert_dir = None - if cert: - if not isinstance(cert, basestring): - conn.cert_file = cert[0] - conn.key_file = cert[1] - else: - conn.cert_file = cert - if conn.cert_file and not os.path.exists(conn.cert_file): - raise IOError("Could not find the TLS certificate file, " - "invalid path: {0}".format(conn.cert_file)) - if conn.key_file and not os.path.exists(conn.key_file): - raise IOError("Could not find the TLS key file, " - "invalid path: {0}".format(conn.key_file)) + if cert: + if not isinstance(cert, basestring): + conn.cert_file = cert[0] + conn.key_file = cert[1] + else: + conn.cert_file = cert + if conn.cert_file and not os.path.exists(conn.cert_file): + raise IOError("Could not find the TLS certificate file, " + "invalid path: {0}".format(conn.cert_file)) + if conn.key_file and not os.path.exists(conn.key_file): + raise IOError("Could not find the TLS key file, " + "invalid path: {0}".format(conn.key_file)) def build_response(self, req, resp): """Builds a :class:`Response ` object from a urllib3 diff --git a/tests/test_requests.py b/tests/test_requests.py index 0dad423c..d8a42151 100755 --- a/tests/test_requests.py +++ b/tests/test_requests.py @@ -786,6 +786,10 @@ class TestRequests: requests.get(httpbin_secure(), cert=('.', INVALID_PATH)) assert str(e.value) == 'Could not find the TLS key file, invalid path: {0}'.format(INVALID_PATH) + def test_http_with_certificate(self, httpbin): + r = requests.get(httpbin(), cert='.') + assert r.status_code == 200 + def test_https_warnings(self, httpbin_secure, httpbin_ca_bundle): """warnings are emitted with requests.get""" if HAS_MODERN_SSL or HAS_PYOPENSSL: From 00c6ad58b765032276f479a6336ad3a2c0ff025a Mon Sep 17 00:00:00 2001 From: Jonas Laursen Date: Wed, 17 May 2017 11:27:15 -0700 Subject: [PATCH 2/2] Simplify fix for #4025 --- requests/adapters.py | 63 ++++++++++++++++++++++---------------------- 1 file changed, 32 insertions(+), 31 deletions(-) diff --git a/requests/adapters.py b/requests/adapters.py index c4403985..0d461b35 100644 --- a/requests/adapters.py +++ b/requests/adapters.py @@ -209,44 +209,45 @@ class HTTPAdapter(BaseAdapter): to a CA bundle to use :param cert: The SSL certificate to verify. """ - if url.lower().startswith('https'): - if verify: - cert_loc = None + if url.lower().startswith('https') and verify: - # Allow self-specified cert location. - if verify is not True: - cert_loc = verify + cert_loc = None - if not cert_loc: - cert_loc = DEFAULT_CA_BUNDLE_PATH + # Allow self-specified cert location. + if verify is not True: + cert_loc = verify - if not cert_loc or not os.path.exists(cert_loc): - raise IOError("Could not find a suitable TLS CA certificate bundle, " - "invalid path: {0}".format(cert_loc)) + if not cert_loc: + cert_loc = DEFAULT_CA_BUNDLE_PATH - conn.cert_reqs = 'CERT_REQUIRED' + if not cert_loc or not os.path.exists(cert_loc): + raise IOError("Could not find a suitable TLS CA certificate bundle, " + "invalid path: {0}".format(cert_loc)) - if not os.path.isdir(cert_loc): - conn.ca_certs = cert_loc - else: - conn.ca_cert_dir = cert_loc + conn.cert_reqs = 'CERT_REQUIRED' + + if not os.path.isdir(cert_loc): + conn.ca_certs = cert_loc else: - conn.cert_reqs = 'CERT_NONE' - conn.ca_certs = None - conn.ca_cert_dir = None + conn.ca_cert_dir = cert_loc + else: + conn.cert_reqs = 'CERT_NONE' + conn.ca_certs = None + conn.ca_cert_dir = None - if cert: - if not isinstance(cert, basestring): - conn.cert_file = cert[0] - conn.key_file = cert[1] - else: - conn.cert_file = cert - if conn.cert_file and not os.path.exists(conn.cert_file): - raise IOError("Could not find the TLS certificate file, " - "invalid path: {0}".format(conn.cert_file)) - if conn.key_file and not os.path.exists(conn.key_file): - raise IOError("Could not find the TLS key file, " - "invalid path: {0}".format(conn.key_file)) + if cert: + if not isinstance(cert, basestring): + conn.cert_file = cert[0] + conn.key_file = cert[1] + else: + conn.cert_file = cert + conn.key_file = None + if conn.cert_file and not os.path.exists(conn.cert_file): + raise IOError("Could not find the TLS certificate file, " + "invalid path: {0}".format(conn.cert_file)) + if conn.key_file and not os.path.exists(conn.key_file): + raise IOError("Could not find the TLS key file, " + "invalid path: {0}".format(conn.key_file)) def build_response(self, req, resp): """Builds a :class:`Response ` object from a urllib3