From 3951d5997a8c1e6d7c834b16ee99db7ebc89f146 Mon Sep 17 00:00:00 2001 From: Ben Darnell Date: Sat, 19 Feb 2011 13:43:33 -0800 Subject: [PATCH] Don't call curl.unsetopt(pycurl.CAINFO) to reset CA certificates to default. This doesn't work because it clobbers the default CA certs, causing all certificates to be rejected. There doesn't seem to be any way to restore the defaults, so just leave it untouched in the default case and document the requirement that all requests use ca_certs if any do. --- tornado/httpclient.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/tornado/httpclient.py b/tornado/httpclient.py index c6f05b7fb..e6c6baa6c 100644 --- a/tornado/httpclient.py +++ b/tornado/httpclient.py @@ -425,6 +425,11 @@ class HTTPRequest(object): # validate_cert: boolean, set to False to disable validation # ca_certs: filename of CA certificates in PEM format, or # None to use defaults + # Note that in the curl-based HTTP client, if any request + # uses a custom ca_certs file, they all must (they don't have to + # all use the same ca_certs, but it's not possible to mix requests + # with ca_certs and requests that use the defaults). + # SimpleAsyncHTTPClient does not have this limitation. self.validate_cert = validate_cert self.ca_certs = ca_certs self.start_time = time.time() @@ -567,7 +572,13 @@ def _curl_setup_request(curl, request, buffer, headers): if request.ca_certs is not None: curl.setopt(pycurl.CAINFO, request.ca_certs) else: - curl.unsetopt(pycurl.CAINFO) + # There is no way to restore pycurl.CAINFO to its default value + # (Using unsetopt makes it reject all certificates). + # I don't see any way to read the default value from python so it + # can be restored later. We'll have to just leave CAINFO untouched + # if no ca_certs file was specified, and require that if any + # request uses a custom ca_certs file, they all must. + pass # Set the request method through curl's retarded interface which makes # up names for almost every single method -- 2.47.2