If certifi library is available and installed on the system, insert certifi CA bundle path in the front of the Libcloud CA bundle search list.
This behavior can be disabled by setting LIBCLOUD_SSL_USE_CERTIFI environment variable to false. Project: http://git-wip-us.apache.org/repos/asf/libcloud/repo Commit: http://git-wip-us.apache.org/repos/asf/libcloud/commit/ec78da25 Tree: http://git-wip-us.apache.org/repos/asf/libcloud/tree/ec78da25 Diff: http://git-wip-us.apache.org/repos/asf/libcloud/diff/ec78da25 Branch: refs/heads/trunk Commit: ec78da25b24c1b1e01ad7b830c9e6be2088acb5c Parents: a4a58f9 Author: Tomaz Muraus <to...@tomaz.me> Authored: Tue Jun 14 18:18:48 2016 +0200 Committer: Anthony Shaw <anthonys...@apache.org> Committed: Fri Jun 17 16:36:42 2016 +1000 ---------------------------------------------------------------------- libcloud/security.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/libcloud/blob/ec78da25/libcloud/security.py ---------------------------------------------------------------------- diff --git a/libcloud/security.py b/libcloud/security.py index 782d138..8338a44 100644 --- a/libcloud/security.py +++ b/libcloud/security.py @@ -36,6 +36,10 @@ VERIFY_SSL_CERT = True SSL_VERSION = ssl.PROTOCOL_TLSv1 +# True to use certifi CA bundle path when certifi library is available +USE_CERTIFI = os.environ.get('LIBCLOUD_SSL_USE_CERTIFI', True) +USE_CERTIFI = str(USE_CERTIFI).lower() in ['true', '1'] + # File containing one or more PEM-encoded CA certificates # concatenated together. CA_CERTS_PATH = [ @@ -61,6 +65,21 @@ CA_CERTS_PATH = [ '/etc/ssl/certs/YaST-CA.pem', ] +# Insert certifi CA bundle path to the front of Libcloud CA bundle search +# path if certifi is available +try: + import certifi +except ImportError: + has_certifi = False +else: + has_certifi = True + +if has_certifi and USE_CERTIFI: + certifi_ca_bundle_path = certifi.where() + + if certifi_ca_bundle_path not in CA_CERTS_PATH: + CA_CERTS_PATH.insert(0, certifi_ca_bundle_path) + # Allow user to explicitly specify which CA bundle to use, using an environment # variable environment_cert_file = os.getenv('SSL_CERT_FILE', None)
