diff options
| author | Toshio Kuratomi <a.badger@gmail.com> | 2017-10-23 13:17:04 -0700 |
|---|---|---|
| committer | Toshio Kuratomi <a.badger@gmail.com> | 2018-02-23 11:05:43 -0800 |
| commit | 6020c0d4f64dbafcbafdffbfc67cfc5bb6b3c75c (patch) | |
| tree | bbc0efbaa0ac08b421c217de3787bd8156226544 /lib/ansible | |
| parent | bc9b44d907000f10b9a0a49e05af1883a457fb80 (diff) | |
| download | ansible-6020c0d4f64dbafcbafdffbfc67cfc5bb6b3c75c.tar.gz | |
Prefer the stdlib SSLContext over urllib3 context
We do not go through the effort of finding the right PROTOCOL setting if
we have SSLContext in the stdlib. So we do not want to hit the code
that uses PROTOCOL to set the urllib3-provided ssl context when
SSLContext is available. Also, the urllib3 implementation appears to
have a bug in some recent versions. Preferring the stdlib version will
work around that for those with Python-2.7.9+ as well.
Fixes #26235
Fixes #25402
Fixes #31998
(cherry picked from commit 725ae96e1bb7790cec4a56a9a8a9c5bcb3182951)
Diffstat (limited to 'lib/ansible')
| -rw-r--r-- | lib/ansible/module_utils/urls.py | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/lib/ansible/module_utils/urls.py b/lib/ansible/module_utils/urls.py index 92ebf5a0a6..38c2007611 100644 --- a/lib/ansible/module_utils/urls.py +++ b/lib/ansible/module_utils/urls.py @@ -680,10 +680,13 @@ class SSLValidationHandler(urllib_request.BaseHandler): return True def _make_context(self, to_add_ca_cert_path): - if HAS_URLLIB3_PYOPENSSLCONTEXT: + if HAS_SSLCONTEXT: + context = create_default_context() + elif HAS_URLLIB3_PYOPENSSLCONTEXT: context = PyOpenSSLContext(PROTOCOL) else: - context = create_default_context() + raise NotImplementedError('Host libraries are too old to support creating an sslcontext') + if to_add_ca_cert_path: context.load_verify_locations(to_add_ca_cert_path) return context @@ -692,8 +695,11 @@ class SSLValidationHandler(urllib_request.BaseHandler): tmp_ca_cert_path, to_add_ca_cert_path, paths_checked = self.get_ca_certs() https_proxy = os.environ.get('https_proxy') context = None - if HAS_SSLCONTEXT or HAS_URLLIB3_PYOPENSSLCONTEXT: + try: context = self._make_context(to_add_ca_cert_path) + except Exception: + # We'll make do with no context below + pass # Detect if 'no_proxy' environment variable is set and if our URL is included use_proxy = self.detect_no_proxy(req.get_full_url()) |