Skip to content
GitLab

[Python][Client] Default to system CA instead of certifi

Merged Administrator requested to merge github/fork/rparini/python-default-ca into master

Created by: rparini

Resolves #6506 (closed)

Gets the Python client to use the system Certificate Authority bundle by default for verifying ssl connections (like the Python standard library does, as described in PEP 476) instead of relying on the external certifi python package for the default. See https://github.com/OpenAPITools/openapi-generator/issues/6506 for the reasons for this change.

For the urllib3 python client this is achieved by passing configuration.ssl_ca_cert directly to urllib3.PoolManager or urllib3.ProxyManager’s ca_certs argument. Then ca_certs be None by default and in this case urllib3 (from version 1.25.3) will load the system CA certificates, as described here.

I have done the same with the asyncio python client since the ssl.create_default_context will also use the system’s default CA certificates if cafile, capath and cadata are all None, as documented here.

I have additionally:

  • Removed certifi as a dependency
  • Required urllib3 >= 1.25.3

These changes would be breaking for anyone relying on the certifi certificates, although I imagine most people’s system default CA certificates are adequate and in this case the change would not be noticed. Any user still wanting to use the certifi certificates could continue to do so by setting configuration.ssl_ca_cert=certifi.where().

PR checklist

  • Read the contribution guidelines.
  • Pull Request title clearly describes the work in the pull request and Pull Request description provides details about how to validate the work. Missing information here may result in delayed response from the community.
  • If contributing template-only or documentation-only changes which will change sample output, build the project beforehand.
  • Run the shell script ./bin/generate-samples.shto update all Petstore samples related to your fix. This is important, as CI jobs will verify all generator outputs of your HEAD commit as it would merge with master. These must match the expectations made by your contribution. You may regenerate an individual generator by passing the relevant config(s) as an argument to the script, for example ./bin/generate-samples.sh bin/configs/java*. For Windows users, please run the script in Git BASH.
  • File the PR against the correct branch: master
  • Copy the technical committee to review the pull request if your PR is targeting a particular programming language.

@taxpon @frol @mbohlool @cbornet @kenjones-cisco @tomplus @Jyhess @arun-nalla @spacether