Merge pull request #65 from Clever/v2.5.0

Sayan- · web-flow · commit f68c5426415c · 2020-04-21T09:12:16.000-07:00
v2.5.0 - remove cert pinning
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## 2.5.0 (2020-04-20)
+ * Remove certificate pinning
+
 ## 2.4.0 (2017-09-18)
  * Use API v1.2
 
diff --git a/MANIFEST.in b/MANIFEST.in
@@ -1 +1 @@
-include *.txt clever/VERSION clever/data/clever.com_ca_bundle.crt
+include *.txt clever/VERSION
diff --git a/clever/VERSION b/clever/VERSION
@@ -1 +1 @@
-2.4.0
+2.5.0
diff --git a/clever/__init__.py b/clever/__init__.py
@@ -80,8 +80,6 @@
 
 logger = logging.getLogger('clever')
 
-# Use certs chain bundle including in the package for SSL verification
-CLEVER_CERTS = pkg_resources.resource_filename(__name__, 'data/clever.com_ca_bundle.crt')
 API_VERSION = "v1.2"
 
 # Configuration variables
@@ -305,17 +303,8 @@ def requests_request(self, meth, abs_url, headers, params):
 
     try:
       try:
-        # Use a CA_BUNDLE containing the following chain:
-        # - TrustedRoot
-        # - DigiCert High Assurance EV - 1
-        #
-        # This ensures that only this certificate chain is used to verify SSL certs.
-        # Certs dervived from other ca certs will be treated as invalid.
-        # eg. https://api.twitter.com and https://api.stripe.com FAIL
-        #     https://api.clever.com and https://api.github.com PASS
         result = requests.request(meth, abs_url,
-                                  headers=headers, data=data, timeout=80,
-                                  verify=CLEVER_CERTS)
+                                  headers=headers, data=data, timeout=80)
       except TypeError as e:
         raise TypeError(
             'Warning: It looks like your installed version of the "requests" library is not compatible with Clever\'s usage thereof. (HINT: The most likely cause is that your "requests" library is out of date. You can fix that by running "pip install -U requests".) The underlying error was: %s' % (e, ))
@@ -378,10 +367,6 @@ def pycurl_request(self, meth, abs_url, headers, params):
     curl.setopt(pycurl.TIMEOUT, 80)
     curl.setopt(pycurl.HTTPHEADER, ['%s: %s' % (k, v) for k, v in six.iteritems(headers)])
     curl.setopt(pycurl.HEADERFUNCTION, rheader.write)
-    if verify_ssl_certs:
-      curl.setopt(pycurl.CAINFO, CLEVER_CERTS)
-    else:
-      curl.setopt(pycurl.SSL_VERIFYHOST, False)
 
     try:
       curl.perform()
@@ -419,9 +404,6 @@ def urlfetch_request(self, meth, abs_url, headers, params):
     args['url'] = abs_url
     args['method'] = meth
     args['headers'] = headers
-    # Google App Engine doesn't let us specify our own cert bundle.
-    # However, that's ok because the CA bundle they use recognizes
-    # api.clever.com.
     args['validate_certificate'] = verify_ssl_certs
     # GAE requests time out after 60 seconds, so make sure we leave
     # some time for the application to handle a slow Clever
diff --git a/setup.py b/setup.py
@@ -34,7 +34,7 @@
       author_email='tech-support@clever.com',
       url='https://clever.com/',
       packages=['clever'],
-      package_data={'clever' : ['data/clever.com_ca_bundle.crt', 'VERSION']},
+      package_data={'clever' : ['VERSION']},
       install_requires=install_requires,
       test_suite='test',
 )
diff --git a/test/test_cert_pinning.py b/test/test_cert_pinning.py

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-include *.txt clever/VERSION clever/data/clever.com_ca_bundle.crt`
	`1`	`+include *.txt clever/VERSION`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@`
`34`	`34`	`author_email='tech-support@clever.com',`
`35`	`35`	`url='https://clever.com/',`
`36`	`36`	`packages=['clever'],`
`37`		`- package_data={'clever' : ['data/clever.com_ca_bundle.crt', 'VERSION']},`
	`37`	`+ package_data={'clever' : ['VERSION']},`
`38`	`38`	`install_requires=install_requires,`
`39`	`39`	`test_suite='test',`
`40`	`40`	`)`