From ad21fe759597968c0f691b37dc681232dcd8f2aa Mon Sep 17 00:00:00 2001 From: Javier Pena Date: Wed, 6 Oct 2021 11:58:37 +0200 Subject: [PATCH] Allow specifying a custom CA bundle file In some cases, we may want to keep SSL certificate verification set, but use our own CA bundle file when connecting to an SSL -enabled API server. This commit adds a check for a new environment variable, SSL_CA_BUNDLE. When set, it will instruct the client to use that file to verify SSL certificates, instead of the default one provided by certifi. Change-Id: I7f26798d7e1bd91493a12ca6f7e4c6f6fde57482 --- README.rst | 3 +++ dlrnapi_client/configuration.py | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/README.rst b/README.rst index 96d4ad1..fb8beb0 100644 --- a/README.rst +++ b/README.rst @@ -136,6 +136,9 @@ Environment variables API. - *SSL_VERIFY*: set to ‘0’ to deactivate SSL verification when talking to the DLRN API. +- *SSL_CA_BUNDLE*: when set to a value, it will instruct the client to + use that file to verify SSL certificates, instead of the default CA + bundle provided by `certifi`. Author ------ diff --git a/dlrnapi_client/configuration.py b/dlrnapi_client/configuration.py index f0d9e69..fae22b2 100644 --- a/dlrnapi_client/configuration.py +++ b/dlrnapi_client/configuration.py @@ -82,7 +82,9 @@ def __init__(self): else: self.verify_ssl = True # Set this to customize the certificate file to verify the peer. - self.ssl_ca_cert = None + # If SSL_CA_BUNDLE is not set, self.ssl_ca_cert will be None, + # so we will use the CA bundle provided by certifi + self.ssl_ca_cert = os.environ.get('SSL_CA_BUNDLE') # client certificate file self.cert_file = None # client key file