classification
Title: urllib.requests.urlopen: deprecate cafile=None, capath=None, cadefault=False
Type: enhancement Stage: needs patch
Components: Library (Lib) Versions: Python 3.10
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, gregory.p.smith, orsenthil, potomak
Priority: normal Keywords:

Created on 2019-07-23 23:54 by gregory.p.smith, last changed 2021-04-19 20:01 by christian.heimes.

Messages (4)
msg348359 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2019-07-23 23:54
The underlying https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_verify_locations API supports cafile, capath and cadata.

urlopen() only offers up cafile and capath.  It should also support cadata for completeness.

This matters for applications that embed their root certificate pem as data.  Requiring the user to write that to a file or ship that as a file just so the library can read it rather than passing it in as a string is gross.

Lets add cadata support to urlopen().
msg348362 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2019-07-24 03:23
Probably nevermind on implementing this:

  ssl_context = ssl.create_default_context(cadata=...)
  urllib.request.urlopen(..., context=ssl_context)

Works fine.  It might be worth a note in the urlopen() docs if anything.
msg348373 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2019-07-24 06:37
Yes, that's my favorite solution.

Actually I would like to deprecate and remove all TLS/SSL related arguments in favor of a single context/ssl_context argument.
msg348378 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2019-07-24 10:45
Suggesting the use of context and deprecating `cafile=None, capath=None, cadefault=False` sounds like a good idea.
History
Date User Action Args
2021-04-19 20:01:01christian.heimessetassignee: christian.heimes ->
title: urllib.requests.urlopen doesn't support cadata= -> urllib.requests.urlopen: deprecate cafile=None, capath=None, cadefault=False
components: - SSL
versions: + Python 3.10, - Python 3.8, Python 3.9
2019-07-29 02:29:50potomaksetnosy: + potomak
2019-07-24 10:45:58orsenthilsetmessages: + msg348378
2019-07-24 06:37:49xtreaksetnosy: + orsenthil
2019-07-24 06:37:11christian.heimessetmessages: + msg348373
2019-07-24 03:23:46gregory.p.smithsetmessages: + msg348362
2019-07-23 23:54:18gregory.p.smithcreate