1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
--- contrib/python/tornado/tornado-4/tornado/curl_httpclient.py (index)
+++ contrib/python/tornado/tornado-4/tornado/curl_httpclient.py (working tree)
@@ -364,7 +364,17 @@ class CurlAsyncHTTPClient(AsyncHTTPClient):
curl.setopt(pycurl.SSL_VERIFYPEER, 0)
curl.setopt(pycurl.SSL_VERIFYHOST, 0)
if request.ca_certs is not None:
- curl.setopt(pycurl.CAINFO, request.ca_certs)
+ cafile, capath, cadata = None, None, None
+ if callable(request.ca_certs):
+ cafile, capath, cadata = request.ca_certs()
+ else:
+ cafile = request.ca_certs
+ if cafile is not None:
+ curl.setopt(pycurl.CAINFO, cafile)
+ if capath is not None:
+ curl.setopt(pycurl.CAPATH, capath)
+ if cadata is not None:
+ curl.set_ca_certs(cadata)
else:
# There is no way to restore pycurl.CAINFO to its default value
# (Using unsetopt makes it reject all certificates).
--- contrib/python/tornado/tornado-4/tornado/netutil.py (index)
+++ contrib/python/tornado/tornado-4/tornado/netutil.py (working tree)
@@ -64,6 +64,8 @@ if hasattr(ssl, 'SSLContext'):
# of a context is to authentiate the opposite side of the connection.
_client_ssl_defaults = ssl.create_default_context(
ssl.Purpose.SERVER_AUTH)
+ # load ca certs bundled with binary
+ _client_ssl_defaults.load_verify_locations(certifi.where())
_server_ssl_defaults = ssl.create_default_context(
ssl.Purpose.CLIENT_AUTH)
else:
|
