This PR builds off of #59 by @spmkone and closes #58.
Additions
stream_io.open_stream and stream_io.CURLStreamFile now accept an additional, optional certificate_handling argument to customize the verification of SSL certificates
Pass certificate_handling=None (the default) to use default certificate verification as compiled into cURL
Changes from #59
This adds more secure alternatives to --insecure when using self-signed certificates, to encourage better security practices
allow_insecure has been removed as a direct parameter to open_stream and friends, and is instead a CAInfo option
Test cases cover using customized CAInfo configurations with self-signed certificates in moto
Fixed a bug where only S3 and not raw HTTPS downloads were using open_stream's certificate verification configuration
Bonus
Error messages in the CURLStreamFile constructor have been improved in the case where cURL terminates at startup with no other output (e.g. when SSL certificate verification fails) by querying the subprocess exit code and attaching it as supplementary information, if it is nonzero.
Customizing cURL Certificate Verification
This PR builds off of #59 by @spmkone and closes #58.
Additions
stream_io.open_stream
andstream_io.CURLStreamFile
now accept an additional, optionalcertificate_handling
argument to customize the verification of SSL certificates--cacert
,--capath
, and-k
/--insecure
incurl
stream_io.CAInfo
toopen_stream
or theCURLStreamFile
constructoropen_stream("https://localhost/model.tensors", certificate_handling=CAInfo(cacert="./localhost.pem")
open_stream("https://127.0.0.1/model.tensors", certificate_handling=CAInfo(allow_untrusted=True)
certificate_handling=None
(the default) to use default certificate verification as compiled into cURLChanges from #59
--insecure
when using self-signed certificates, to encourage better security practicesallow_insecure
has been removed as a direct parameter toopen_stream
and friends, and is instead aCAInfo
optionCAInfo
configurations with self-signed certificates inmoto
open_stream
's certificate verification configurationBonus
Error messages in the
CURLStreamFile
constructor have been improved in the case where cURL terminates at startup with no other output (e.g. when SSL certificate verification fails) by querying the subprocess exit code and attaching it as supplementary information, if it is nonzero.