From 69cd38ab8684e2a6760f8861d141822d41170c7b Mon Sep 17 00:00:00 2001
From: Deni Bertovic <deni@kset.org>
Date: Sat, 22 Mar 2014 01:04:12 +0100
Subject: [PATCH 01/12] initial take on adding support for tls auth with client
 certificates

---
 docker/client.py | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/docker/client.py b/docker/client.py
index 38355b09c4..9ae21a235e 100644
--- a/docker/client.py
+++ b/docker/client.py
@@ -69,9 +69,18 @@ def is_server_error(self):
 
 
 class Client(requests.Session):
-    def __init__(self, base_url=None, version=DEFAULT_DOCKER_API_VERSION,
-                 timeout=DEFAULT_TIMEOUT_SECONDS):
+    def __init__(self,
+                 base_url=None,
+                 version=DEFAULT_DOCKER_API_VERSION,
+                 timeout=DEFAULT_TIMEOUT_SECONDS,
+                 tls=False,
+                 tls_cert=None,
+                 tls_key=None):
         super(Client, self).__init__()
+        if tls and not (tls_cert and tls_key):
+                raise RuntimeError('tls_key and tls_cert are required.')
+        if tls and not base_url.startswith('https'):
+            raise RuntimeError('TLS: base_url has to start with https://')
         if base_url is None:
             base_url = "http+unix://var/run/docker.sock"
         if 'unix:///' in base_url:
@@ -87,7 +96,12 @@ def __init__(self, base_url=None, version=DEFAULT_DOCKER_API_VERSION,
         self._timeout = timeout
         self._auth_configs = auth.load_config()
 
-        self.mount('http+unix://', unixconn.UnixAdapter(base_url, timeout))
+        if tls:
+            self.cert = (tls_cert, tls_key)
+            self.verify = False  # We assume the server.crt will we self signed
+            self.mount('https://', requests.adapters.HTTPAdapter())
+        else:
+            self.mount('http+unix://', unixconn.UnixAdapter(base_url, timeout))
 
     def _set_request_timeout(self, kwargs):
         """Prepare the kwargs for an HTTP request by inserting the timeout

From 7ce73de4a710b6ccd334673bd3c4d1ee667addea Mon Sep 17 00:00:00 2001
From: Mo Omer <beancinematics@gmail.com>
Date: Tue, 13 May 2014 20:35:19 -0500
Subject: [PATCH 02/12] Expanding on @denibertovic initial additions, we now
 have full support for SSL in docker-py. Including the ability to specify the
 expected SSL Version for issues with OpenSSL sslv3/tls1 recognition issues.
 Added an exception class for repetitive reminders to look at the CLI doc on
 docker.io.

---
 docker/client.py                | 57 +++++++++++++++++++++++++++------
 docker/exceptions/__init__.py   |  1 +
 docker/exceptions/exceptions.py |  6 ++++
 docker/ssladapter/__init__.py   |  1 +
 docker/ssladapter/ssladapter.py | 23 +++++++++++++
 setup.py                        |  2 +-
 6 files changed, 80 insertions(+), 10 deletions(-)
 create mode 100644 docker/exceptions/__init__.py
 create mode 100644 docker/exceptions/exceptions.py
 create mode 100644 docker/ssladapter/__init__.py
 create mode 100644 docker/ssladapter/ssladapter.py

diff --git a/docker/client.py b/docker/client.py
index 9ae21a235e..d7d130761f 100644
--- a/docker/client.py
+++ b/docker/client.py
@@ -16,6 +16,7 @@
 import re
 import shlex
 import struct
+import os
 
 import requests
 import requests.exceptions
@@ -23,7 +24,9 @@
 
 from .auth import auth
 from .unixconn import unixconn
+from .ssladapter import ssladapter
 from .utils import utils
+from .exceptions import exceptions
 
 if not six.PY3:
     import websocket
@@ -75,12 +78,14 @@ def __init__(self,
                  timeout=DEFAULT_TIMEOUT_SECONDS,
                  tls=False,
                  tls_cert=None,
-                 tls_key=None):
+                 tls_key=None,
+                 tls_verify=False,
+                 tls_ca_cert=None,
+                 ssl_version=None):
         super(Client, self).__init__()
-        if tls and not (tls_cert and tls_key):
-                raise RuntimeError('tls_key and tls_cert are required.')
-        if tls and not base_url.startswith('https'):
-            raise RuntimeError('TLS: base_url has to start with https://')
+  
+        if (tls or tls_verify) and not base_url.startswith('https://'):
+            raise exceptions.TLSParameterError('If using TLS, the base_url argument must begin with "https://".')
         if base_url is None:
             base_url = "http+unix://var/run/docker.sock"
         if 'unix:///' in base_url:
@@ -96,10 +101,44 @@ def __init__(self,
         self._timeout = timeout
         self._auth_configs = auth.load_config()
 
-        if tls:
-            self.cert = (tls_cert, tls_key)
-            self.verify = False  # We assume the server.crt will we self signed
-            self.mount('https://', requests.adapters.HTTPAdapter())
+        """ Argument compatibility/mapping with http://docs.docker.io/examples/https/ 
+
+            This diverges from the Docker CLI in that users can specify 'tls' here, but also
+            disable any public/default CA pool verification by leaving tls_verify=False
+        """
+        """ urllib3 sets a default ssl_version if ssl_version is None
+            https://github.com/shazow/urllib3/blob/62ecd1523ec383802cb13b09bd7084d2da997420/urllib3/util/ssl_.py#L83
+        """
+        self.ssl_version = ssl_version
+
+        """ "tls" and "tls_verify" must have both or neither cert/key files
+            In either case, Alert the user when both are expected, but any are missing."""
+        if (tls or tls_verify) and (tls_cert or tls_key):
+            if not (tls_cert and tls_key) or (not os.path.isfile(tls_cert) or not os.path.isfile(tls_key)):
+                raise exceptions.TLSParameterError(
+                    'You must provide either both "tls_cert"/"tls_key" files, or neither, in order to use TLS.')  
+            else:
+                self.cert = (tls_cert, tls_key)
+            
+        """ 
+            Either set tls_verify to True (public/default CA checks) or to the path of a CA Cert file.
+            ref: https://github.com/kennethreitz/requests/blob/739d153ef77765392fa109bebead4260c05f3193/requests/adapters.py#L135-L137
+            ref: https://github.com/kennethreitz/requests/blob/master/requests/sessions.py#L433-L439
+        """
+        if tls_verify:
+            if not tls_ca_cert:
+                self.verify = True
+            elif os.path.isfile(tls_ca_cert):
+                self.verify = tls_ca_cert
+            else:
+                raise exceptions.TLSParameterError(
+                    'If "tls_verify" is set, then "tls_ca_cert" must be blank (to check default/public CA list) OR a path to a CA Cert File.')                      
+        else:
+            self.verify = False
+
+        """ Use SSLAdapter for the ability to specify SSL version """
+        if tls or tls_verify:
+            self.mount('https://', ssladapter.SSLAdapter(self.ssl_version))
         else:
             self.mount('http+unix://', unixconn.UnixAdapter(base_url, timeout))
 
diff --git a/docker/exceptions/__init__.py b/docker/exceptions/__init__.py
new file mode 100644
index 0000000000..fdb8e77976
--- /dev/null
+++ b/docker/exceptions/__init__.py
@@ -0,0 +1 @@
+from .exceptions import TLSParameterError
diff --git a/docker/exceptions/exceptions.py b/docker/exceptions/exceptions.py
new file mode 100644
index 0000000000..a22231a902
--- /dev/null
+++ b/docker/exceptions/exceptions.py
@@ -0,0 +1,6 @@
+class TLSParameterError(ValueError):
+    def __init__(self, msg):
+        self.msg = msg
+
+    def __str__(self):
+        return self.msg + "\n\nTLS configurations should map the Docker CLI client configurations. See http://docs.docker.io/examples/https/ for API details."
diff --git a/docker/ssladapter/__init__.py b/docker/ssladapter/__init__.py
new file mode 100644
index 0000000000..182c35c581
--- /dev/null
+++ b/docker/ssladapter/__init__.py
@@ -0,0 +1 @@
+from .ssladapter import SSLAdapter
diff --git a/docker/ssladapter/ssladapter.py b/docker/ssladapter/ssladapter.py
new file mode 100644
index 0000000000..b78223ad3d
--- /dev/null
+++ b/docker/ssladapter/ssladapter.py
@@ -0,0 +1,23 @@
+""" Resolves OpenSSL issues in some servers:
+      https://lukasa.co.uk/2013/01/Choosing_SSL_Version_In_Requests/
+      https://github.com/kennethreitz/requests/pull/799
+"""
+from requests.adapters import HTTPAdapter
+try:
+    from requests.packages.urllib3.poolmanager import PoolManager
+except ImportError:
+    from urllib3.poolmanager import PoolManager
+
+
+class SSLAdapter(HTTPAdapter):
+    '''An HTTPS Transport Adapter that uses an arbitrary SSL version.'''
+    def __init__(self, ssl_version=None, **kwargs):
+        self.ssl_version = ssl_version
+
+        super(SSLAdapter, self).__init__(**kwargs)
+
+    def init_poolmanager(self, connections, maxsize, block=False):
+        self.poolmanager = PoolManager(num_pools=connections,
+                                       maxsize=maxsize,
+                                       block=block,
+                                       ssl_version=self.ssl_version)
\ No newline at end of file
diff --git a/setup.py b/setup.py
index 8c196f89d9..40e31c8427 100644
--- a/setup.py
+++ b/setup.py
@@ -19,7 +19,7 @@
     name="docker-py",
     version='0.3.0',
     description="Python client for Docker.",
-    packages=['docker', 'docker.auth', 'docker.unixconn', 'docker.utils'],
+    packages=['docker', 'docker.auth', 'docker.unixconn', 'docker.utils', 'docker.ssladapter', 'docker.exceptions'],
     install_requires=requirements + test_requirements,
     zip_safe=False,
     test_suite='tests',

From 72c29ee5cf23fae57e484453843c6d517e82aa2a Mon Sep 17 00:00:00 2001
From: Joffrey F <joffrey@docker.com>
Date: Mon, 23 Jun 2014 20:32:27 +0200
Subject: [PATCH 03/12] Added TLS configuration instructions in README.md

---
 README.md | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/README.md b/README.md
index 325a9277f3..0eaa043179 100644
--- a/README.md
+++ b/README.md
@@ -342,3 +342,44 @@ c.start(container_id, binds={
         }
 })
 ```
+
+Connection to daemon using HTTPS
+================================
+
+*These instructions are docker-py specific. Please refer to
+http://docs.docker.com/articles/https/ first.*
+
+*  Authenticate server based on public/default CA pool
+
+```python
+client = docker.Client(base_url='<https_url>', tls=True)
+```
+
+* Authenticate server based on given CA
+
+```python
+tls_config = docker.tls.TLSConfig(
+  False, tls_verify=True, tls_ca_cert='/path/to/ca.pem')
+client = docker.Client(base_url='<https_url>', tls=tls_config)
+```
+
+* Authenticate with client certificate, do not authenticate server
+  based on given CA
+
+```python
+tls_config = docker.tls.TLSConfig(
+  True, tls_cert='/path/to/client-cert.pem',
+  tls_key='/path/to/client-key.pem'
+)
+client = docker.Client(base_url='<https_url>', tls=tls_config)
+```
+
+* Authenticate with client certificate, authenticate server based on given CA
+
+```python
+tls_config = docker.tls.TLSConfig(
+  False, tls_cert='/path/to/client-cert.pem',
+  tls_key='/path/to/client-key.pem', tls_ca_cert='/path/to/ca.pem'
+)
+client = docker.Client(base_url='<https_url>', tls=tls_config)
+```

From 94cb0bdc136522ddaae82290dd94841d6a3ac12c Mon Sep 17 00:00:00 2001
From: Joffrey F <joffrey@docker.com>
Date: Tue, 24 Jun 2014 21:11:59 +0200
Subject: [PATCH 04/12] Fixed bugs, clearer error messages

---
 docker/client.py |  2 +-
 docker/tls.py    | 24 ++++++++++++++----------
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/docker/client.py b/docker/client.py
index 83eebdd493..1219ad5ce2 100644
--- a/docker/client.py
+++ b/docker/client.py
@@ -61,7 +61,7 @@ def __init__(self, base_url=None, version=DEFAULT_DOCKER_API_VERSION,
         self._timeout = timeout
         self._auth_configs = auth.load_config()
 
-        """ Use SSLAdapter for the ability to specify SSL version """
+        # Use SSLAdapter for the ability to specify SSL version
         if isinstance(tls, TLSConfig):
             tls.configure_client(self)
         elif tls:
diff --git a/docker/tls.py b/docker/tls.py
index 0cf8acc21d..6b6b71fbcc 100644
--- a/docker/tls.py
+++ b/docker/tls.py
@@ -5,6 +5,10 @@
 
 
 class TLSConfig(object):
+    cert = None
+    verify = None
+    ssl_version = None
+
     def __init__(self, tls, tls_cert=None, tls_key=None, tls_verify=False,
                  tls_ca_cert=None, ssl_version=None):
         # Argument compatibility/mapping with
@@ -25,11 +29,12 @@ def __init__(self, tls, tls_cert=None, tls_key=None, tls_verify=False,
             if not (tls_cert and tls_key) or (not os.path.isfile(tls_cert) or
                not os.path.isfile(tls_key)):
                 raise errors.TLSParameterError(
-                    'You must provide either both "tls_cert"/"tls_key" files, '
-                    'or neither, in order to use TLS.')
+                    'Client certificate must provide certificate and key files'
+                    ' through tls_cert and tls_key params respectively'
+                )
             self.cert = (tls_cert, tls_key)
 
-        # Either set tls_verify to True (public/default CA checks) or to the
+        # Either set verify to True (public/default CA checks) or to the
         # path of a CA Cert file.
         if tls_verify:
             if not tls_ca_cert:
@@ -38,14 +43,13 @@ def __init__(self, tls, tls_cert=None, tls_key=None, tls_verify=False,
                 self.verify = tls_ca_cert
             else:
                 raise errors.TLSParameterError(
-                    'If "tls_verify" is set, then "tls_ca_cert" must be blank'
-                    ' (to check public CA list) OR a path to a Cert File.'
+                    'Invalid CA certificate provided for `tls_ca_cert`.'
                 )
-        else:
-            self.verify = False
 
     def configure_client(self, client):
-        client.verify = self.verify
         client.ssl_version = self.ssl_version
-        client.cert = self.cert
-        self.mount('https://', ssladapter.SSLAdapter(self.ssl_version))
+        if self.verify is not None:
+            client.verify = self.verify
+        if self.cert:
+            client.cert = self.cert
+        client.mount('https://', ssladapter.SSLAdapter(self.ssl_version))

From 6080fa50973116e07ca5f2e3bc8cd4cebe7c9f23 Mon Sep 17 00:00:00 2001
From: Joffrey F <joffrey@docker.com>
Date: Thu, 3 Jul 2014 00:21:07 +0200
Subject: [PATCH 05/12] Simple TLS configuration doesn't create the ssl_version
 attribute, use default when mounting adapter

---
 docker/client.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/client.py b/docker/client.py
index 1219ad5ce2..4cba6a98bb 100644
--- a/docker/client.py
+++ b/docker/client.py
@@ -65,7 +65,7 @@ def __init__(self, base_url=None, version=DEFAULT_DOCKER_API_VERSION,
         if isinstance(tls, TLSConfig):
             tls.configure_client(self)
         elif tls:
-            self.mount('https://', ssladapter.SSLAdapter(self.ssl_version))
+            self.mount('https://', ssladapter.SSLAdapter())
         else:
             self.mount('http+unix://', unixconn.UnixAdapter(base_url, timeout))
 

From 123bb8a436b4080a62d1bbb3c5ab54b419b8f0f0 Mon Sep 17 00:00:00 2001
From: Joffrey F <joffrey@docker.com>
Date: Thu, 3 Jul 2014 01:00:39 +0200
Subject: [PATCH 06/12] Allow setting Client.verify to false when tls_verify is
 set to false in TLSConfig

---
 docker/tls.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docker/tls.py b/docker/tls.py
index 6b6b71fbcc..b344d677d6 100644
--- a/docker/tls.py
+++ b/docker/tls.py
@@ -9,7 +9,7 @@ class TLSConfig(object):
     verify = None
     ssl_version = None
 
-    def __init__(self, tls, tls_cert=None, tls_key=None, tls_verify=False,
+    def __init__(self, tls, tls_cert=None, tls_key=None, tls_verify=None,
                  tls_ca_cert=None, ssl_version=None):
         # Argument compatibility/mapping with
         # http://docs.docker.com/examples/https/
@@ -36,9 +36,9 @@ def __init__(self, tls, tls_cert=None, tls_key=None, tls_verify=False,
 
         # Either set verify to True (public/default CA checks) or to the
         # path of a CA Cert file.
-        if tls_verify:
+        if tls_verify is not None:
             if not tls_ca_cert:
-                self.verify = True
+                self.verify = tls_verify
             elif os.path.isfile(tls_ca_cert):
                 self.verify = tls_ca_cert
             else:

From e6888591eb84c0f3f3ce1c33748c31bf830173cb Mon Sep 17 00:00:00 2001
From: Joffrey F <joffrey@docker.com>
Date: Thu, 3 Jul 2014 01:08:00 +0200
Subject: [PATCH 07/12] Raise an exception when tls_ca_cert is provided and
 tls_verify is false

---
 docker/tls.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docker/tls.py b/docker/tls.py
index b344d677d6..45dce57d09 100644
--- a/docker/tls.py
+++ b/docker/tls.py
@@ -40,6 +40,11 @@ def __init__(self, tls, tls_cert=None, tls_key=None, tls_verify=None,
             if not tls_ca_cert:
                 self.verify = tls_verify
             elif os.path.isfile(tls_ca_cert):
+                if not tls_verify:
+                    raise errors.TLSParameterError(
+                        'tls_verify can not be False when a CA cert is'
+                        ' provided.'
+                    )
                 self.verify = tls_ca_cert
             else:
                 raise errors.TLSParameterError(

From af91c784544c9ab46014693fd425827ee045af6b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=9D=8E=E8=B6=85?= <li-chao@letv.com>
Date: Mon, 7 Jul 2014 20:50:44 +0800
Subject: [PATCH 08/12] fix ssl_version exception when urllib3 version <= 1.5

---
 docker/ssladapter/ssladapter.py | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/docker/ssladapter/ssladapter.py b/docker/ssladapter/ssladapter.py
index c38481fa06..f0f7b067cc 100644
--- a/docker/ssladapter/ssladapter.py
+++ b/docker/ssladapter/ssladapter.py
@@ -2,10 +2,12 @@
       https://lukasa.co.uk/2013/01/Choosing_SSL_Version_In_Requests/
       https://github.com/kennethreitz/requests/pull/799
 """
+from distutils.version import StrictVersion
 from requests.adapters import HTTPAdapter
 try:
     from requests.packages.urllib3.poolmanager import PoolManager
 except ImportError:
+    import urllib3
     from urllib3.poolmanager import PoolManager
 
 
@@ -16,7 +18,13 @@ def __init__(self, ssl_version=None, **kwargs):
         super(SSLAdapter, self).__init__(**kwargs)
 
     def init_poolmanager(self, connections, maxsize, block=False):
-        self.poolmanager = PoolManager(num_pools=connections,
-                                       maxsize=maxsize,
-                                       block=block,
-                                       ssl_version=self.ssl_version)
+        urllib_ver = urllib3.__version__
+        if urllib3 and StrictVersion(urllib_ver) <= StrictVersion('1.5'):
+            self.poolmanager = PoolManager(num_pools=connections,
+                                           maxsize=maxsize,
+                                           block=block)
+        else:
+            self.poolmanager = PoolManager(num_pools=connections,
+                                           maxsize=maxsize,
+                                           block=block,
+                                           ssl_version=self.ssl_version)

From 8393dbcaff88576cf6a36be598e11d6b95d6f3dc Mon Sep 17 00:00:00 2001
From: Joffrey F <joffrey@docker.com>
Date: Tue, 8 Jul 2014 14:56:48 +0200
Subject: [PATCH 09/12] Improved TLSConfig API to be less obscure / more
 pythonic. Also improved / amended docs

---
 README.md     | 30 ++++++++++++++++++++++++------
 docker/tls.py | 32 ++++++++++++++++++++------------
 2 files changed, 44 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index 0eaa043179..2de72bd627 100644
--- a/README.md
+++ b/README.md
@@ -355,31 +355,49 @@ http://docs.docker.com/articles/https/ first.*
 client = docker.Client(base_url='<https_url>', tls=True)
 ```
 
+Equivalent CLI options: `docker --tls ...`
+
+If you want to use TLS but don't want to verify the server certificate
+(for example when testing with a self-signed certificate):
+
+```python
+tls_config = docker.tls.TLSConfig(verify=False)
+client = docker.Client(base_url='<https_url>', tls=tls_config)
+```
+
 * Authenticate server based on given CA
 
 ```python
-tls_config = docker.tls.TLSConfig(
-  False, tls_verify=True, tls_ca_cert='/path/to/ca.pem')
+tls_config = docker.tls.TLSConfig(server_cacert='/path/to/ca.pem')
 client = docker.Client(base_url='<https_url>', tls=tls_config)
 ```
 
+Equivalent CLI options: `docker --tlsverify --tlscacert /path/to/ca.pem ...`
+
 * Authenticate with client certificate, do not authenticate server
   based on given CA
 
 ```python
 tls_config = docker.tls.TLSConfig(
-  True, tls_cert='/path/to/client-cert.pem',
-  tls_key='/path/to/client-key.pem'
+  True, client_cert=('/path/to/client-cert.pem', '/path/to/client-key.pem')
 )
 client = docker.Client(base_url='<https_url>', tls=tls_config)
 ```
 
+Equivalent CLI options:
+`docker --tls --tlscert /path/to/client-cert.pem
+--tlskey /path/to/client-key.pem ...`
+
 * Authenticate with client certificate, authenticate server based on given CA
 
 ```python
 tls_config = docker.tls.TLSConfig(
-  False, tls_cert='/path/to/client-cert.pem',
-  tls_key='/path/to/client-key.pem', tls_ca_cert='/path/to/ca.pem'
+  client_cert=('/path/to/client-cert.pem', '/path/to/client-key.pem'),
+  server_cacert='/path/to/ca.pem'
 )
 client = docker.Client(base_url='<https_url>', tls=tls_config)
 ```
+
+Equivalent CLI options:
+`docker --tlsverify --tlscert /path/to/client-cert.pem
+--tlskey /path/to/client-key.pem --tlscacert /path/to/ca.pem ...`
\ No newline at end of file
diff --git a/docker/tls.py b/docker/tls.py
index 45dce57d09..61fa748c99 100644
--- a/docker/tls.py
+++ b/docker/tls.py
@@ -9,8 +9,8 @@ class TLSConfig(object):
     verify = None
     ssl_version = None
 
-    def __init__(self, tls, tls_cert=None, tls_key=None, tls_verify=None,
-                 tls_ca_cert=None, ssl_version=None):
+    def __init__(self, client_cert=None, server_cacert=None, verify=None,
+                 ssl_version=None):
         # Argument compatibility/mapping with
         # http://docs.docker.com/examples/https/
         # This diverges from the Docker CLI in that users can specify 'tls'
@@ -25,27 +25,35 @@ def __init__(self, tls, tls_cert=None, tls_key=None, tls_verify=None,
         # In either case, Alert the user when both are expected, but any are
         # missing.
 
-        if tls_cert or tls_key:
+        if client_cert:
+            try:
+                tls_cert, tls_key = client_cert
+            except ValueError:
+                raise errors.TLSParameterError(
+                    'client_config must be a tuple of'
+                    ' (client certificate, key file)'
+                )
+
             if not (tls_cert and tls_key) or (not os.path.isfile(tls_cert) or
                not os.path.isfile(tls_key)):
                 raise errors.TLSParameterError(
-                    'Client certificate must provide certificate and key files'
-                    ' through tls_cert and tls_key params respectively'
+                    'Path to a certificate and key files must be provided'
+                    ' through the client_config param'
                 )
             self.cert = (tls_cert, tls_key)
 
         # Either set verify to True (public/default CA checks) or to the
         # path of a CA Cert file.
-        if tls_verify is not None:
-            if not tls_ca_cert:
-                self.verify = tls_verify
-            elif os.path.isfile(tls_ca_cert):
-                if not tls_verify:
+        if verify is not None:
+            if not server_cacert:
+                self.verify = verify
+            elif os.path.isfile(server_cacert):
+                if not verify:
                     raise errors.TLSParameterError(
-                        'tls_verify can not be False when a CA cert is'
+                        'verify can not be False when a CA cert is'
                         ' provided.'
                     )
-                self.verify = tls_ca_cert
+                self.verify = server_cacert
             else:
                 raise errors.TLSParameterError(
                     'Invalid CA certificate provided for `tls_ca_cert`.'

From d528e7ea51ab87d4af559515f2ac50a65163bafa Mon Sep 17 00:00:00 2001
From: Joffrey F <joffrey@docker.com>
Date: Wed, 9 Jul 2014 17:09:37 +0200
Subject: [PATCH 10/12] Incorrect argument list in TLS docs

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 2de72bd627..e58cb72bb7 100644
--- a/README.md
+++ b/README.md
@@ -379,7 +379,7 @@ Equivalent CLI options: `docker --tlsverify --tlscacert /path/to/ca.pem ...`
 
 ```python
 tls_config = docker.tls.TLSConfig(
-  True, client_cert=('/path/to/client-cert.pem', '/path/to/client-key.pem')
+  client_cert=('/path/to/client-cert.pem', '/path/to/client-key.pem')
 )
 client = docker.Client(base_url='<https_url>', tls=tls_config)
 ```

From 6f557ed73372aa5823393a53b079bf4cec7511b8 Mon Sep 17 00:00:00 2001
From: Joffrey F <joffrey@docker.com>
Date: Wed, 9 Jul 2014 17:59:47 +0200
Subject: [PATCH 11/12] Fix some urllib3 import issues

---
 docker/ssladapter/ssladapter.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/docker/ssladapter/ssladapter.py b/docker/ssladapter/ssladapter.py
index f0f7b067cc..99dc36a6cd 100644
--- a/docker/ssladapter/ssladapter.py
+++ b/docker/ssladapter/ssladapter.py
@@ -5,10 +5,12 @@
 from distutils.version import StrictVersion
 from requests.adapters import HTTPAdapter
 try:
-    from requests.packages.urllib3.poolmanager import PoolManager
+    import requests.packages.urllib3 as urllib3
 except ImportError:
     import urllib3
-    from urllib3.poolmanager import PoolManager
+
+
+PoolManager = urllib3.poolmanager.PoolManager
 
 
 class SSLAdapter(HTTPAdapter):
@@ -18,8 +20,9 @@ def __init__(self, ssl_version=None, **kwargs):
         super(SSLAdapter, self).__init__(**kwargs)
 
     def init_poolmanager(self, connections, maxsize, block=False):
-        urllib_ver = urllib3.__version__
-        if urllib3 and StrictVersion(urllib_ver) <= StrictVersion('1.5'):
+        urllib_ver = urllib3.__version__.split('-')[0]
+        if urllib3 and urllib_ver != 'dev' and \
+           StrictVersion(urllib_ver) <= StrictVersion('1.5'):
             self.poolmanager = PoolManager(num_pools=connections,
                                            maxsize=maxsize,
                                            block=block)

From 436a3b1ff9f874e3e4e84c88ee4604eab5f87994 Mon Sep 17 00:00:00 2001
From: Joffrey F <joffrey@docker.com>
Date: Thu, 10 Jul 2014 17:14:07 +0200
Subject: [PATCH 12/12] server_cacert -> ca_cert

---
 README.md     | 4 ++--
 docker/tls.py | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index e58cb72bb7..40e19335c9 100644
--- a/README.md
+++ b/README.md
@@ -368,7 +368,7 @@ client = docker.Client(base_url='<https_url>', tls=tls_config)
 * Authenticate server based on given CA
 
 ```python
-tls_config = docker.tls.TLSConfig(server_cacert='/path/to/ca.pem')
+tls_config = docker.tls.TLSConfig(ca_cert='/path/to/ca.pem')
 client = docker.Client(base_url='<https_url>', tls=tls_config)
 ```
 
@@ -393,7 +393,7 @@ Equivalent CLI options:
 ```python
 tls_config = docker.tls.TLSConfig(
   client_cert=('/path/to/client-cert.pem', '/path/to/client-key.pem'),
-  server_cacert='/path/to/ca.pem'
+  ca_cert='/path/to/ca.pem'
 )
 client = docker.Client(base_url='<https_url>', tls=tls_config)
 ```
diff --git a/docker/tls.py b/docker/tls.py
index 61fa748c99..531f4d681b 100644
--- a/docker/tls.py
+++ b/docker/tls.py
@@ -9,7 +9,7 @@ class TLSConfig(object):
     verify = None
     ssl_version = None
 
-    def __init__(self, client_cert=None, server_cacert=None, verify=None,
+    def __init__(self, client_cert=None, ca_cert=None, verify=None,
                  ssl_version=None):
         # Argument compatibility/mapping with
         # http://docs.docker.com/examples/https/
@@ -45,15 +45,15 @@ def __init__(self, client_cert=None, server_cacert=None, verify=None,
         # Either set verify to True (public/default CA checks) or to the
         # path of a CA Cert file.
         if verify is not None:
-            if not server_cacert:
+            if not ca_cert:
                 self.verify = verify
-            elif os.path.isfile(server_cacert):
+            elif os.path.isfile(ca_cert):
                 if not verify:
                     raise errors.TLSParameterError(
                         'verify can not be False when a CA cert is'
                         ' provided.'
                     )
-                self.verify = server_cacert
+                self.verify = ca_cert
             else:
                 raise errors.TLSParameterError(
                     'Invalid CA certificate provided for `tls_ca_cert`.'