11f7c3310f
The requests library defaults to using the certificates from the certifi library when not otherwise specified. If I understand the discussion at #8247 correctly, we should instead patch it so that it follows the following priority order: 1. the path pointed to by the environment variable $NIX_SSL_CERT_FILE 2. /etc/ssl/certs/ca-certificates.crt 3. whatever it was doing before (in this case, using certifi) This commit implements that.
60 lines
1.9 KiB
Diff
60 lines
1.9 KiB
Diff
From b36083efafec5a3c1c5864cd0b62367ddf3856ae Mon Sep 17 00:00:00 2001
|
|
From: Keshav Kini <keshav.kini@gmail.com>
|
|
Date: Sun, 16 May 2021 20:35:24 -0700
|
|
Subject: [PATCH] Prefer NixOS/Nix default CA bundles over certifi
|
|
|
|
Normally, requests gets its default CA bundle from the certifi
|
|
package. On NixOS and when using Nix on non-NixOS platforms, we would
|
|
rather default to using our own certificate bundles controlled by the
|
|
Nix/NixOS user.
|
|
|
|
This commit overrides requests.certs.where(), which previously was
|
|
just aliased to certifi.where(), so that now it does the following:
|
|
|
|
- When run by Nix on non-NixOS, the environment variable
|
|
$NIX_SSL_CERT_FILE will point to the CA bundle we're using, so we
|
|
use that.
|
|
|
|
- When running on NixOS, the CA bundle we're using has the static path
|
|
/etc/ssl/certs/ca-certificates.crt , so we use that.
|
|
|
|
- Otherwise, we fall back to the original behavior of using certifi's
|
|
CA bundle. Higher in the call stack, users of requests can also
|
|
explicitly specify a CA bundle to use, which overrides all this
|
|
logic.
|
|
---
|
|
requests/certs.py | 18 +++++++++++++++++-
|
|
1 file changed, 17 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/requests/certs.py b/requests/certs.py
|
|
index d1a378d7..faf462b7 100644
|
|
--- a/requests/certs.py
|
|
+++ b/requests/certs.py
|
|
@@ -12,7 +12,23 @@ If you are packaging Requests, e.g., for a Linux distribution or a managed
|
|
environment, you can change the definition of where() to return a separately
|
|
packaged CA bundle.
|
|
"""
|
|
-from certifi import where
|
|
+
|
|
+import os
|
|
+
|
|
+import certifi
|
|
+
|
|
+
|
|
+def where():
|
|
+ nix_ssl_cert_file = os.getenv("NIX_SSL_CERT_FILE")
|
|
+ if nix_ssl_cert_file and os.path.exists(nix_ssl_cert_file):
|
|
+ return nix_ssl_cert_file
|
|
+
|
|
+ nixos_ca_bundle = "/etc/ssl/certs/ca-certificates.crt"
|
|
+ if os.path.exists(nixos_ca_bundle):
|
|
+ return nixos_ca_bundle
|
|
+
|
|
+ return certifi.where()
|
|
+
|
|
|
|
if __name__ == '__main__':
|
|
print(where())
|
|
--
|
|
2.31.1
|
|
|