# HG changeset patch # User James Oakley # Date 1337195517 25200 # Node ID 76ccf77090fca5a1f75a3a5bd9bcb2f8f85e0bc7 # Parent 51913a3898dca95acac5392f37a38c042e117d26 Add a cadefault parameter to urllib.urlopen() The cadefault parameter, which is True by default, tells urlopen to load the system-defined certificate store and verify remote certificates if both cafile and capath are unspecified. diff -r 51913a3898dc -r 76ccf77090fc Doc/library/urllib.request.rst --- a/Doc/library/urllib.request.rst Fri May 11 13:11:02 2012 -0400 +++ b/Doc/library/urllib.request.rst Wed May 16 12:11:57 2012 -0700 @@ -16,7 +16,7 @@ The :mod:`urllib.request` module defines the following functions: -.. function:: urlopen(url, data=None[, timeout], *, cafile=None, capath=None) +.. function:: urlopen(url, data=None[, timeout], *, cafile=None, capath=None, cadefault=True) Open the URL *url*, which can be either a string or a :class:`Request` object. @@ -53,9 +53,14 @@ point to a directory of hashed certificate files. More information can be found in :meth:`ssl.SSLContext.load_verify_locations`. + The *cadefault* parameter specifies whether to fall back to loading a + default certificate store defined by the underlying OpenSSL library if the + *cafile* and *capath* parameters are omitted. + .. warning:: - If neither *cafile* nor *capath* is specified, an HTTPS request - will not do any verification of the server's certificate. + If neither *cafile* nor *capath* is specified, and *cadefault* is False, + an HTTPS request will not do any verification of the server's + certificate. This function returns a file-like object that works as a :term:`context manager`, with two additional methods from the :mod:`urllib.response` module diff -r 51913a3898dc -r 76ccf77090fc Lib/test/test_urllib2_localnet.py --- a/Lib/test/test_urllib2_localnet.py Fri May 11 13:11:02 2012 -0400 +++ b/Lib/test/test_urllib2_localnet.py Wed May 16 12:11:57 2012 -0700 @@ -454,7 +454,7 @@ def test_https(self): handler = self.start_https_server() - data = self.urlopen("https://localhost:%s/bizarre" % handler.port) + data = self.urlopen("https://localhost:%s/bizarre" % handler.port, cadefault=False) self.assertEqual(data, b"we care a bit") def test_https_with_cafile(self): @@ -474,6 +474,12 @@ self.urlopen("https://localhost:%s/bizarre" % handler.port, cafile=CERT_fakehostname) + def test_https_with_cadefault(self): + handler = self.start_https_server(certfile=CERT_localhost) + # Self-signed cert should fail verification with system certificate store + with self.assertRaises(urllib.error.URLError) as cm: + self.urlopen("https://localhost:%s/bizarre" % handler.port) + def test_sending_headers(self): handler = self.start_server() req = urllib.request.Request("http://localhost:%s/" % handler.port, diff -r 51913a3898dc -r 76ccf77090fc Lib/urllib/request.py --- a/Lib/urllib/request.py Fri May 11 13:11:02 2012 -0400 +++ b/Lib/urllib/request.py Wed May 16 12:11:57 2012 -0700 @@ -135,16 +135,19 @@ _opener = None def urlopen(url, data=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT, - *, cafile=None, capath=None): + *, cafile=None, capath=None, cadefault=True): global _opener - if cafile or capath: + if cafile or capath or cadefault: if not _have_ssl: raise ValueError('SSL support not available') context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) context.options |= ssl.OP_NO_SSLv2 - if cafile or capath: + if cafile or capath or cadefault: context.verify_mode = ssl.CERT_REQUIRED - context.load_verify_locations(cafile, capath) + if cafile or capath: + context.load_verify_locations(cafile, capath) + else: + context.set_default_verify_paths() check_hostname = True else: check_hostname = False