summaryrefslogtreecommitdiffstats
path: root/Lib
diff options
context:
space:
mode:
authorChristian Heimes <christian@cheimes.de>2013-06-09 16:02:55 (GMT)
committerChristian Heimes <christian@cheimes.de>2013-06-09 16:02:55 (GMT)
commit6d7ad13a458afdf2cbdd0c3349b0589d7776cc8a (patch)
tree47e14221e1b28d34be82fe6a3e5fa554c03f51a1 /Lib
parent302b8c31ecefba371271ca51359ef30fcb3ddbcd (diff)
downloadcpython-6d7ad13a458afdf2cbdd0c3349b0589d7776cc8a.zip
cpython-6d7ad13a458afdf2cbdd0c3349b0589d7776cc8a.tar.gz
cpython-6d7ad13a458afdf2cbdd0c3349b0589d7776cc8a.tar.bz2
Issue #18143: Implement ssl.get_default_verify_paths() in order to debug
the default locations for cafile and capath.
Diffstat (limited to 'Lib')
-rw-r--r--Lib/ssl.py20
-rw-r--r--Lib/test/test_ssl.py13
2 files changed, 33 insertions, 0 deletions
diff --git a/Lib/ssl.py b/Lib/ssl.py
index 8af22c7..5d48f1b 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -89,6 +89,8 @@ ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY
import textwrap
import re
+import os
+import collections
import _ssl # if we can't import it, let the error propagate
@@ -222,6 +224,24 @@ def match_hostname(cert, hostname):
"subjectAltName fields were found")
+DefaultVerifyPaths = collections.namedtuple("DefaultVerifyPaths",
+ "cafile capath openssl_cafile_env openssl_cafile openssl_capath_env "
+ "openssl_capath")
+
+def get_default_verify_paths():
+ """Return paths to default cafile and capath.
+ """
+ parts = _ssl.get_default_verify_paths()
+
+ # environment vars shadow paths
+ cafile = os.environ.get(parts[0], parts[1])
+ capath = os.environ.get(parts[2], parts[3])
+
+ return DefaultVerifyPaths(cafile if os.path.isfile(cafile) else None,
+ capath if os.path.isdir(capath) else None,
+ *parts)
+
+
class SSLContext(_SSLContext):
"""An SSLContext holds various SSL-related configuration options and
data, such as certificates and possibly a private key."""
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 224e0e2..6cecc17 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -394,6 +394,19 @@ class BasicSocketTests(unittest.TestCase):
support.gc_collect()
self.assertIn(r, str(cm.warning.args[0]))
+ def test_get_default_verify_paths(self):
+ paths = ssl.get_default_verify_paths()
+ self.assertEqual(len(paths), 6)
+ self.assertIsInstance(paths, ssl.DefaultVerifyPaths)
+
+ with support.EnvironmentVarGuard() as env:
+ env["SSL_CERT_DIR"] = CAPATH
+ env["SSL_CERT_FILE"] = CERTFILE
+ paths = ssl.get_default_verify_paths()
+ self.assertEqual(paths.cafile, CERTFILE)
+ self.assertEqual(paths.capath, CAPATH)
+
+
class ContextTests(unittest.TestCase):
@skip_if_broken_ubuntu_ssl