From 5877313843e20fb41e718de3a639078144458ae0 Mon Sep 17 00:00:00 2001 From: Nate Prewitt Date: Thu, 18 Jul 2024 09:51:10 -0700 Subject: [PATCH] Revert #6667 to no longer cache a default SSLContext --- src/requests/adapters.py | 59 ++++++++++++---------------------------- 1 file changed, 17 insertions(+), 42 deletions(-) diff --git a/src/requests/adapters.py b/src/requests/adapters.py index 9a58b16025..a9879cb4a7 100644 --- a/src/requests/adapters.py +++ b/src/requests/adapters.py @@ -74,19 +74,6 @@ def SOCKSProxyManager(*args, **kwargs): DEFAULT_POOL_TIMEOUT = None -try: - import ssl # noqa: F401 - - _preloaded_ssl_context = create_urllib3_context() - _preloaded_ssl_context.load_verify_locations( - extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH) - ) -except ImportError: - # Bypass default SSLContext creation when Python - # interpreter isn't built with the ssl module. - _preloaded_ssl_context = None - - def _urllib3_request_context( request: "PreparedRequest", verify: "bool | str | None", @@ -99,24 +86,11 @@ def _urllib3_request_context( scheme = parsed_request_url.scheme.lower() port = parsed_request_url.port - # Determine if we have and should use our default SSLContext - # to optimize performance on standard requests. - poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {}) - has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context") - should_use_default_ssl_context = ( - _preloaded_ssl_context is not None and not has_poolmanager_ssl_context - ) - cert_reqs = "CERT_REQUIRED" if verify is False: cert_reqs = "CERT_NONE" - elif verify is True and should_use_default_ssl_context: - pool_kwargs["ssl_context"] = _preloaded_ssl_context elif isinstance(verify, str): - if not os.path.isdir(verify): - pool_kwargs["ca_certs"] = verify - else: - pool_kwargs["ca_cert_dir"] = verify + pool_kwargs["ca_certs"] = verify pool_kwargs["cert_reqs"] = cert_reqs if client_cert is not None: if isinstance(client_cert, tuple) and len(client_cert) == 2: @@ -314,26 +288,27 @@ def cert_verify(self, conn, url, verify, cert): :param cert: The SSL certificate to verify. """ if url.lower().startswith("https") and verify: - conn.cert_reqs = "CERT_REQUIRED" + cert_loc = None - # Only load the CA certificates if 'verify' is a string indicating the CA bundle to use. - # Otherwise, if verify is a boolean, we don't load anything since - # the connection will be using a context with the default certificates already loaded, - # and this avoids a call to the slow load_verify_locations() + # Allow self-specified cert location. if verify is not True: - # `verify` must be a str with a path then cert_loc = verify - if not os.path.exists(cert_loc): - raise OSError( - f"Could not find a suitable TLS CA certificate bundle, " - f"invalid path: {cert_loc}" - ) + if not cert_loc: + cert_loc = extracted_zipped_paths(DEFAULT_CA_BUNDLE_PATH) + + if not cert_loc or not os.path.exists(cert_loc): + raise OSError( + f"Could not find a suitable TLS CA certificate bundle, " + f"invalid path: {cert_loc}" + ) - if not os.path.isdir(cert_loc): - conn.ca_certs = cert_loc - else: - conn.ca_cert_dir = cert_loc + conn.cert_reqs = "CERT_REQUIRED" + + if not os.path.isdir(cert_loc): + conn.ca_certs = cert_loc + else: + conn.ca_cert_dir = cert_loc else: conn.cert_reqs = "CERT_NONE" conn.ca_certs = None