Initial patch by James Oakley.
The :mod:`urllib.request` module defines the following functions:
-.. function:: urlopen(url, data=None[, timeout], *, cafile=None, capath=None)
+.. function:: urlopen(url, data=None[, timeout], *, cafile=None, capath=None, cadefault=True)
Open the URL *url*, which can be either a string or a
:class:`Request` object.
point to a directory of hashed certificate files. More information can
be found in :meth:`ssl.SSLContext.load_verify_locations`.
+ The *cadefault* parameter specifies whether to fall back to loading a
+ default certificate store defined by the underlying OpenSSL library if the
+ *cafile* and *capath* parameters are omitted. This will only work on
+ some non-Windows platforms.
+
.. warning::
- If neither *cafile* nor *capath* is specified, an HTTPS request
- will not do any verification of the server's certificate.
+ If neither *cafile* nor *capath* is specified, and *cadefault* is False,
+ an HTTPS request will not do any verification of the server's
+ certificate.
This function returns a file-like object that works as a :term:`context manager`,
with two additional methods from the :mod:`urllib.response` module
.. versionadded:: 3.2
*data* can be an iterable object.
+ .. versionchanged:: 3.3
+ *cadefault* was added.
+
.. function:: install_opener(opener)
Install an :class:`OpenerDirector` instance as the default global opener.
self.urlopen("https://localhost:%s/bizarre" % handler.port,
cafile=CERT_fakehostname)
+ def test_https_with_cadefault(self):
+ handler = self.start_https_server(certfile=CERT_localhost)
+ # Self-signed cert should fail verification with system certificate store
+ with self.assertRaises(urllib.error.URLError) as cm:
+ self.urlopen("https://localhost:%s/bizarre" % handler.port,
+ cadefault=True)
+
def test_sending_headers(self):
handler = self.start_server()
req = urllib.request.Request("http://localhost:%s/" % handler.port,
_opener = None
def urlopen(url, data=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
- *, cafile=None, capath=None):
+ *, cafile=None, capath=None, cadefault=False):
global _opener
- if cafile or capath:
+ if cafile or capath or cadefault:
if not _have_ssl:
raise ValueError('SSL support not available')
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
context.options |= ssl.OP_NO_SSLv2
- if cafile or capath:
+ if cafile or capath or cadefault:
context.verify_mode = ssl.CERT_REQUIRED
- context.load_verify_locations(cafile, capath)
+ if cafile or capath:
+ context.load_verify_locations(cafile, capath)
+ else:
+ context.set_default_verify_paths()
check_hostname = True
else:
check_hostname = False
John O'Connor
Kevin O'Connor
Tim O'Malley
+James Oakley
Jon Oberheide
Pascal Oberndoerfer
Jeffrey Ollie
Library
-------
+- Issue #14780: urllib.request.urlopen() now has a ``cadefault`` argument
+ to use the default certificate store. Initial patch by James Oakley.
+
- Issue #14829: Fix bisect and range() indexing with large indices
(>= 2 ** 32) under 64-bit Windows.
projects / python / commitdiff