support using system certificates via 'truststore' (#6582)

https://github.com/mikf/gallery-dl/issues/6582#issuecomment-2989290495
This commit is contained in:
Mike Fährmann
2025-06-20 19:55:01 +02:00
parent 8a35863e86
commit b0d7de3603
6 changed files with 52 additions and 11 deletions

View File

@@ -485,8 +485,17 @@ class Extractor():
ssl_options |= ssl.OP_NO_TLSv1_2
self.log.debug("TLS 1.2 disabled.")
if self.config("truststore"):
try:
from truststore import SSLContext as ssl_ctx
except ImportError as exc:
self.log.error("%s: %s", exc.__class__.__name__, exc)
ssl_ctx = None
else:
ssl_ctx = None
adapter = _build_requests_adapter(
ssl_options, ssl_ciphers, source_address)
ssl_options, ssl_ciphers, ssl_ctx, source_address)
session.mount("https://", adapter)
session.mount("http://", adapter)
@@ -979,19 +988,30 @@ class RequestsAdapter(HTTPAdapter):
return HTTPAdapter.proxy_manager_for(self, *args, **kwargs)
def _build_requests_adapter(ssl_options, ssl_ciphers, source_address):
key = (ssl_options, ssl_ciphers, source_address)
def _build_requests_adapter(
ssl_options, ssl_ciphers, ssl_ctx, source_address):
key = (ssl_options, ssl_ciphers, ssl_ctx, source_address)
try:
return _adapter_cache[key]
except KeyError:
pass
if ssl_options or ssl_ciphers:
ssl_context = urllib3.connection.create_urllib3_context(
options=ssl_options or None, ciphers=ssl_ciphers)
if not requests.__version__ < "2.32":
# https://github.com/psf/requests/pull/6731
ssl_context.load_verify_locations(requests.certs.where())
if ssl_options or ssl_ciphers or ssl_ctx:
if ssl_ctx is None:
ssl_context = urllib3.connection.create_urllib3_context(
options=ssl_options or None, ciphers=ssl_ciphers)
if not requests.__version__ < "2.32":
# https://github.com/psf/requests/pull/6731
ssl_context.load_verify_locations(requests.certs.where())
else:
ssl_ctx_orig = urllib3.util.ssl_.SSLContext
try:
urllib3.util.ssl_.SSLContext = ssl_ctx
ssl_context = urllib3.connection.create_urllib3_context(
options=ssl_options or None, ciphers=ssl_ciphers)
finally:
urllib3.util.ssl_.SSLContext = ssl_ctx_orig
ssl_context.check_hostname = False
else:
ssl_context = None