From: Ben Darnell Date: Tue, 15 Feb 2011 04:05:47 +0000 (-0800) Subject: Make certificate validation optional with an HTTPRequest parameter X-Git-Tag: v1.2.0~26 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5bff06d710b8d60e059eb4e3ee846a30a6d9efb7;p=thirdparty%2Ftornado.git Make certificate validation optional with an HTTPRequest parameter for consistency between curl and simple HTTPClients. --- diff --git a/tornado/httpclient.py b/tornado/httpclient.py index 25d07ae5c..c6f05b7fb 100644 --- a/tornado/httpclient.py +++ b/tornado/httpclient.py @@ -378,7 +378,8 @@ class HTTPRequest(object): network_interface=None, streaming_callback=None, header_callback=None, prepare_curl_callback=None, proxy_host=None, proxy_port=None, proxy_username=None, - proxy_password='', allow_nonstandard_methods=False): + proxy_password='', allow_nonstandard_methods=False, + validate_cert=True, ca_certs=None): if headers is None: headers = httputil.HTTPHeaders() if if_modified_since: @@ -420,6 +421,12 @@ class HTTPRequest(object): self.header_callback = header_callback self.prepare_curl_callback = prepare_curl_callback self.allow_nonstandard_methods = allow_nonstandard_methods + # SSL certificate validation: + # validate_cert: boolean, set to False to disable validation + # ca_certs: filename of CA certificates in PEM format, or + # None to use defaults + self.validate_cert = validate_cert + self.ca_certs = ca_certs self.start_time = time.time() @@ -556,6 +563,11 @@ def _curl_setup_request(curl, request, buffer, headers): curl.setopt(pycurl.PROXYUSERPWD, credentials) else: curl.setopt(pycurl.PROXY, '') + curl.setopt(pycurl.SSL_VERIFYPEER, request.validate_cert) + if request.ca_certs is not None: + curl.setopt(pycurl.CAINFO, request.ca_certs) + else: + curl.unsetopt(pycurl.CAINFO) # Set the request method through curl's retarded interface which makes # up names for almost every single method diff --git a/tornado/simple_httpclient.py b/tornado/simple_httpclient.py index c23def6cf..a19805d8b 100644 --- a/tornado/simple_httpclient.py +++ b/tornado/simple_httpclient.py @@ -143,10 +143,14 @@ class _HTTPConnection(object): host = self.client.hostname_mapping.get(host, host) if parsed.scheme == "https": - ssl_options = dict( - cert_reqs=ssl.CERT_REQUIRED, - ca_certs=os.path.dirname(__file__) + '/ca-certificates.crt', - ) + ssl_options = {} + if request.validate_cert: + ssl_options["cert_reqs"] = ssl.CERT_REQUIRED + if request.ca_certs is not None: + ssl_options["ca_certs"] = request.ca_certs + else: + ssl_options["ca_certs"] = (os.path.dirname(__file__) + + '/ca-certificates.crt') self.stream = SSLIOStream(socket.socket(), io_loop=self.io_loop, ssl_options=ssl_options) diff --git a/tornado/test/httpserver_test.py b/tornado/test/httpserver_test.py index b107578e7..e556e7291 100644 --- a/tornado/test/httpserver_test.py +++ b/tornado/test/httpserver_test.py @@ -37,12 +37,9 @@ class SSLTest(AsyncHTTPTestCase, LogTrapTestCase): keyfile=os.path.join(test_dir, 'test.key'))) def fetch(self, path, **kwargs): - def disable_cert_check(curl): - # Our certificate was not signed by a CA, so don't check it - curl.setopt(pycurl.SSL_VERIFYPEER, 0) self.http_client.fetch(self.get_url(path).replace('http', 'https'), self.stop, - prepare_curl_callback=disable_cert_check, + validate_cert=False, **kwargs) return self.wait()