1 files changed, 39 insertions, 0 deletions

diff --git a/debian/patches/02_require-cert-verification.patch b/debian/patches/02_require-cert-verification.patch
new file mode 100644
index 0000000..6973d7a
--- /dev/null
+++ b/debian/patches/02_require-cert-verification.patch
@@ -0,0 +1,39 @@
+From 9cd0feeb36e835dbc9f394befd32e02ec1ce6841 Mon Sep 17 00:00:00 2001
+From: Jamie Strandboge <jamie@canonical.com>
+Date: Thu, 8 Oct 2015 13:19:47 -0700
+Subject: require SSL certificate validation by default by using
+
+ CERT_REQUIRED and using the system /etc/ssl/certs/ca-certificates.crt
+Bug-Ubuntu: https://launchpad.net/bugs/1047054
+Bug-Debian: http://bugs.debian.org/686872
+Last-Update: 2014-09-01
+
+Patch-Name: 02_require-cert-verification.patch
+---
+ urllib3/connectionpool.py | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/urllib3/connectionpool.py b/urllib3/connectionpool.py
+index 0750e24..fe2f546 100644
+--- a/urllib3/connectionpool.py
++++ b/urllib3/connectionpool.py
+@@ -679,6 +679,8 @@ class HTTPSConnectionPool(HTTPConnectionPool):
+     ``ssl_version`` are only used if :mod:`ssl` is available and are fed into
+     :meth:`urllib3.util.ssl_wrap_socket` to upgrade the connection socket
+     into an SSL socket.
++
++    On Debian, SSL certificate validation is required by default
+     """
+ 
+     scheme = 'https'
+@@ -688,8 +690,8 @@ class HTTPSConnectionPool(HTTPConnectionPool):
+                  strict=False, timeout=Timeout.DEFAULT_TIMEOUT, maxsize=1,
+                  block=False, headers=None, retries=None,
+                  _proxy=None, _proxy_headers=None,
+-                 key_file=None, cert_file=None, cert_reqs=None,
+-                 ca_certs=None, ssl_version=None,
++                 key_file=None, cert_file=None, cert_reqs='CERT_REQUIRED',
++                 ca_certs='/etc/ssl/certs/ca-certificates.crt', ssl_version=None,
+                  assert_hostname=None, assert_fingerprint=None,
+                  **conn_kw):
+