base/SOURCES/00224-pep476-add-toggle-for-cert-verify.patch

diff -up Python-2.7.5/Lib/ssl.py.cert Python-2.7.5/Lib/ssl.py
--- Python-2.7.5/Lib/ssl.py.cert	2015-03-30 14:52:12.172241615 +0200
+++ Python-2.7.5/Lib/ssl.py	2015-03-30 15:16:49.168185354 +0200
@@ -466,8 +466,27 @@ def _create_unverified_context(protocol=
 
     return context
 
+_cert_verification_config = '/etc/python/cert-verification.cfg'
+
+def _get_verify_status(protocol):
+   context_factory = {
+       'platform_default': _create_unverified_context,
+       'enable': create_default_context,
+       'disable': _create_unverified_context
+   }
+   import ConfigParser
+   try:
+       config = ConfigParser.RawConfigParser()
+       config.read(_cert_verification_config)
+       status = config.get(protocol, 'verify')
+   except (ConfigParser.NoSectionError, ConfigParser.NoOptionError):
+       status = 'platform_default'
+   default = context_factory.get('platform_default')
+   return context_factory.get(status, default)
+
+
 # Used by http.client if no context is explicitly passed.
-_create_default_https_context = create_default_context
+_create_default_https_context = _get_verify_status('https')
 
 
 # Backwards compatibility alias, even though it's not a public name.
diff -up Python-2.7.5/Lib/test/test_httplib.py.cert Python-2.7.5/Lib/test/test_httplib.py
--- Python-2.7.5/Lib/test/test_httplib.py.cert	2015-03-30 16:45:30.738794461 +0200
+++ Python-2.7.5/Lib/test/test_httplib.py	2015-03-30 16:54:48.065062351 +0200
@@ -516,12 +516,24 @@ class HTTPSTest(TestCase):
         h = httplib.HTTPSConnection(HOST, TimeoutTest.PORT, timeout=30)
         self.assertEqual(h.timeout, 30)
 
+    def test_networked_default(self):
+        # specific to RHEL
+        # Default settings: doesnt requires a valid cert from a trusted CA
+        test_support.requires('network')
+        with test_support.transient_internet('self-signed.pythontest.net'):
+            h = httplib.HTTPSConnection('self-signed.pythontest.net', 443)
+            h.request('GET', '/')
+            resp = h.getresponse()
+            self.assertIn('nginx', resp.getheader('server'))
+
+    # We have to pass safe context to test cert verification
+    # RHEL by default disable cert verification
     def test_networked(self):
-        # Default settings: requires a valid cert from a trusted CA
         import ssl
         test_support.requires('network')
         with test_support.transient_internet('self-signed.pythontest.net'):
-            h = httplib.HTTPSConnection('self-signed.pythontest.net', 443)
+            context = ssl.create_default_context()
+            h = httplib.HTTPSConnection('self-signed.pythontest.net', 443, context=context)
             with self.assertRaises(ssl.SSLError) as exc_info:
                 h.request('GET', '/')
             self.assertEqual(exc_info.exception.reason, 'CERTIFICATE_VERIFY_FAILED')
@@ -542,8 +554,10 @@ class HTTPSTest(TestCase):
     def test_networked_trusted_by_default_cert(self):
         # Default settings: requires a valid cert from a trusted CA
         test_support.requires('network')
+        import ssl
         with test_support.transient_internet('www.python.org'):
-            h = httplib.HTTPSConnection('www.python.org', 443)
+            context = ssl.create_default_context()
+            h = httplib.HTTPSConnection('www.python.org', 443, context=context)
             h.request('GET', '/')
             resp = h.getresponse()
             content_type = resp.getheader('content-type')
@@ -579,7 +592,8 @@ class HTTPSTest(TestCase):
         # The custom cert isn't known to the default trust bundle
         import ssl
         server = self.make_server(CERT_localhost)
-        h = httplib.HTTPSConnection('localhost', server.port)
+        context = ssl.create_default_context()
+        h = httplib.HTTPSConnection('localhost', server.port, context=context)
         with self.assertRaises(ssl.SSLError) as exc_info:
             h.request('GET', '/')
         self.assertEqual(exc_info.exception.reason, 'CERTIFICATE_VERIFY_FAILED')
@@ -624,6 +638,9 @@ class HTTPSTest(TestCase):
         for hp in ("www.python.org:abc", "user:password@www.python.org"):
             self.assertRaises(httplib.InvalidURL, httplib.HTTPSConnection, hp)
 
+        import ssl
+        context = ssl.create_default_context()
+
         for hp, h, p in (("[fe80::207:e9ff:fe9b]:8000",
                           "fe80::207:e9ff:fe9b", 8000),
                          ("www.python.org:443", "www.python.org", 443),
@@ -632,7 +648,7 @@ class HTTPSTest(TestCase):
                          ("[fe80::207:e9ff:fe9b]", "fe80::207:e9ff:fe9b", 443),
                          ("[fe80::207:e9ff:fe9b]:", "fe80::207:e9ff:fe9b",
                              443)):
-            c = httplib.HTTPSConnection(hp)
+            c = httplib.HTTPSConnection(hp, context=context)
             self.assertEqual(h, c.host)
             self.assertEqual(p, c.port)