Don't call curl.unsetopt(pycurl.CAINFO) to reset CA certificates to default.

This doesn't work because it clobbers the default CA certs, causing all
certificates to be rejected.  There doesn't seem to be any way to restore
the defaults, so just leave it untouched in the default case and document
the requirement that all requests use ca_certs if any do.

diff --git a/tornado/httpclient.py b/tornado/httpclient.py
index c6f05b7fbf8b1525d2fe293da6549e953a46d8c3..e6c6baa6cb570567d07e89df736f7592d64b3169 100644 (file)
--- a/tornado/httpclient.py
+++ b/tornado/httpclient.py
@@ -425,6 +425,11 @@ class HTTPRequest(object):
         # validate_cert: boolean, set to False to disable validation
         # ca_certs: filename of CA certificates in PEM format, or
         #     None to use defaults
+        # Note that in the curl-based HTTP client, if any request
+        # uses a custom ca_certs file, they all must (they don't have to
+        # all use the same ca_certs, but it's not possible to mix requests
+        # with ca_certs and requests that use the defaults).
+        # SimpleAsyncHTTPClient does not have this limitation.
         self.validate_cert = validate_cert
         self.ca_certs = ca_certs
         self.start_time = time.time()
@@ -567,7 +572,13 @@ def _curl_setup_request(curl, request, buffer, headers):
     if request.ca_certs is not None:
         curl.setopt(pycurl.CAINFO, request.ca_certs)
     else:
-        curl.unsetopt(pycurl.CAINFO)
+        # There is no way to restore pycurl.CAINFO to its default value
+        # (Using unsetopt makes it reject all certificates).
+        # I don't see any way to read the default value from python so it
+        # can be restored later.  We'll have to just leave CAINFO untouched
+        # if no ca_certs file was specified, and require that if any
+        # request uses a custom ca_certs file, they all must.
+        pass
 
     # Set the request method through curl's retarded interface which makes
     # up names for almost every single method