Issue #14780: urllib.request.urlopen() now has a `cadefault` argument to use the default certificate store.

Initial patch by James Oakley.
author: Antoine Pitrou <solipsis@pitrou.net> 2012-05-16 19:40:01 (GMT)
committer: Antoine Pitrou <solipsis@pitrou.net> 2012-05-16 19:40:01 (GMT)
commit: de9ac6c2e5b5887e473a24f067942dcf306ed3d3 (patch)
tree: 4116086b6516d72bd6bc228dcb62e0258cb90c18 /Lib
parent: 5d953184a6fae25bf27e769c90b419d9b2aa1af9 (diff)
download: cpython-de9ac6c2e5b5887e473a24f067942dcf306ed3d3.zip
cpython-de9ac6c2e5b5887e473a24f067942dcf306ed3d3.tar.gz
cpython-de9ac6c2e5b5887e473a24f067942dcf306ed3d3.tar.bz2
2 files changed, 14 insertions, 4 deletions
diff --git a/Lib/test/test_urllib2_localnet.py b/Lib/test/test_urllib2_localnet.py
index 9e1ce5b..6ef4200 100644
--- a/Lib/test/test_urllib2_localnet.py
+++ b/Lib/test/test_urllib2_localnet.py
@@ -474,6 +474,13 @@ class TestUrlopen(unittest.TestCase):
             self.urlopen("https://localhost:%s/bizarre" % handler.port,
                          cafile=CERT_fakehostname)
 
+    def test_https_with_cadefault(self):
+        handler = self.start_https_server(certfile=CERT_localhost)
+        # Self-signed cert should fail verification with system certificate store
+        with self.assertRaises(urllib.error.URLError) as cm:
+            self.urlopen("https://localhost:%s/bizarre" % handler.port,
+                         cadefault=True)
+
     def test_sending_headers(self):
         handler = self.start_server()
         req = urllib.request.Request("http://localhost:%s/" % handler.port,
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
index 96bb8d7..9cbf8aa 100644
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -135,16 +135,19 @@ __version__ = sys.version[:3]
 
 _opener = None
 def urlopen(url, data=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
-            *, cafile=None, capath=None):
+            *, cafile=None, capath=None, cadefault=False):
     global _opener
-    if cafile or capath:
+    if cafile or capath or cadefault:
         if not _have_ssl:
             raise ValueError('SSL support not available')
         context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
         context.options |= ssl.OP_NO_SSLv2
-        if cafile or capath:
+        if cafile or capath or cadefault:
             context.verify_mode = ssl.CERT_REQUIRED
-            context.load_verify_locations(cafile, capath)
+            if cafile or capath:
+                context.load_verify_locations(cafile, capath)
+            else:
+                context.set_default_verify_paths()
             check_hostname = True
         else:
             check_hostname = False
author	Antoine Pitrou <solipsis@pitrou.net>	2012-05-16 19:40:01 (GMT)
committer	Antoine Pitrou <solipsis@pitrou.net>	2012-05-16 19:40:01 (GMT)
commit	de9ac6c2e5b5887e473a24f067942dcf306ed3d3 (patch)
tree	4116086b6516d72bd6bc228dcb62e0258cb90c18 /Lib
parent	5d953184a6fae25bf27e769c90b419d9b2aa1af9 (diff)
download	cpython-de9ac6c2e5b5887e473a24f067942dcf306ed3d3.zip cpython-de9ac6c2e5b5887e473a24f067942dcf306ed3d3.tar.gz cpython-de9ac6c2e5b5887e473a24f067942dcf306ed3d3.tar.bz2