WIP: Ensure PyOpenSSLContext.load_verify_locations raises ssl.SSLError

[pilou-]

Without this patch, an OpenSSL.SSL.Error is raised when PyOpenSSLContext.load_verify_locations fails:

$ python -c "import os; import urllib3; import urllib3.contrib.pyopenssl; urllib3.contrib.pyopenssl.inject_into_urllib3(); urllib3.util.ssl_wrap_socket(None, ca_certs=os.devnull)"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/tmp/urllib3/local/lib/python2.7/site-packages/urllib3/util/ssl_.py", line 321, in ssl_wrap_socket
    context.load_verify_locations(ca_certs, ca_cert_dir)
  File "/tmp/urllib3/local/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 428, in load_verify_locations
    self._ctx.load_verify_locations(cafile, capath)
  File "/tmp/urllib3/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 781, in load_verify_locations
    _raise_current_error()
  File "/tmp/urllib3/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 53, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: []

With this patch, an ssl.SSLError is raised, in the same way do_handshake errors are handled:

$ python -c "import os; import urllib3; import urllib3.contrib.pyopenssl; urllib3.contrib.pyopenssl.inject_into_urllib3(); urllib3.util.ssl_wrap_socket(None, ca_certs=os.devnull)"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/home/pilou/src/urllib3/src/urllib3/util/ssl_.py", line 313, in ssl_wrap_socket
    raise SSLError(e)
urllib3.exceptions.SSLError: ('unable to load trusted certificates: Error([('x509 certificate routines', 'X509_load_cert_crl_file', 'no certificate or crl found')],)',)

then:

1. this ssl.SSLError is caught by ssl_wrap_socket
2. an urllib3.exceptions.SSLError error is raised
   • which is the same exception that the one raised when pyOpenSSL isn't available
   • and which is what users of urllib3 library expect (this can be tested with python -c "import requests, os; requests.get('https://github.com', verify=os.devnull)")

[sethmlarson]

Thanks for opening this! I have a few review comments below to address before we can merge this.

[sethmlarson]

Let's add this testcase to TestClientCerts to ensure it's run against all SSLContext implementations.

[sethmlarson]

This docstring will have to be modified to be generic.

[sethmlarson]

You may have to add this change to the SecureTransport SSLContext implementation as well. We also need a CHANGES.rst entry saying that all SSLContext.load_verify_locations() implementations raise urllib3.exceptions.SSLError on a failure.

[codecov-io]

Codecov Report

Merging #1517 into master will increase coverage by 0.03%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #1517      +/-   ##
==========================================
+ Coverage   64.68%   64.72%   +0.03%     
==========================================
  Files          22       22              
  Lines        2897     2897              
==========================================
+ Hits         1874     1875       +1     
+ Misses       1023     1022       -1

Impacted Files	Coverage Δ
src/urllib3/util/ssl_.py	37.06% <0%> (+0.43%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update adb358f...b065bed. Read the comment docs.