Skip to content

Commit

Permalink
Prefer the stdlib SSLContext over urllib3 context
Browse files Browse the repository at this point in the history
We do not go through the effort of finding the right PROTOCOL setting if
we have SSLContext in the stdlib.  So we do not want to hit the code
that uses PROTOCOL to set the urllib3-provided ssl context when
SSLContext is available.  Also, the urllib3 implementation appears to
have a bug in some recent versions.  Preferring the stdlib version will
work around that for those with Python-2.7.9+ as well.

Fixes ansible#26235
Fixes ansible#25402
Fixes ansible#31998
  • Loading branch information
abadger committed Oct 24, 2017
1 parent ee6ba5d commit 725ae96
Showing 1 changed file with 9 additions and 3 deletions.
12 changes: 9 additions & 3 deletions lib/ansible/module_utils/urls.py
Original file line number Diff line number Diff line change
Expand Up @@ -700,10 +700,13 @@ def detect_no_proxy(self, url):
return True

def _make_context(self, to_add_ca_cert_path):
if HAS_URLLIB3_PYOPENSSLCONTEXT:
if HAS_SSLCONTEXT:
context = create_default_context()
elif HAS_URLLIB3_PYOPENSSLCONTEXT:
context = PyOpenSSLContext(PROTOCOL)
else:
context = create_default_context()
raise NotImplementedError('Host libraries are too old to support creating an sslcontext')

if to_add_ca_cert_path:
context.load_verify_locations(to_add_ca_cert_path)
return context
Expand All @@ -712,8 +715,11 @@ def http_request(self, req):
tmp_ca_cert_path, to_add_ca_cert_path, paths_checked = self.get_ca_certs()
https_proxy = os.environ.get('https_proxy')
context = None
if HAS_SSLCONTEXT or HAS_URLLIB3_PYOPENSSLCONTEXT:
try:
context = self._make_context(to_add_ca_cert_path)
except Exception:
# We'll make do with no context below
pass

# Detect if 'no_proxy' environment variable is set and if our URL is included
use_proxy = self.detect_no_proxy(req.get_full_url())
Expand Down

0 comments on commit 725ae96

Please sign in to comment.