Don't call curl.unsetopt(pycurl.CAINFO) to reset CA certificates to default.

bdarnell · bdarnell · commit 3951d5997a8c · 2011-02-19T13:43:33.000-08:00
This doesn't work because it clobbers the default CA certs, causing all
certificates to be rejected.  There doesn't seem to be any way to restore
the defaults, so just leave it untouched in the default case and document
the requirement that all requests use ca_certs if any do.
diff --git a/tornado/httpclient.py b/tornado/httpclient.py
@@ -425,6 +425,11 @@ def __init__(self, url, method="GET", headers=None, body=None,
         # validate_cert: boolean, set to False to disable validation
         # ca_certs: filename of CA certificates in PEM format, or
         #     None to use defaults
+        # Note that in the curl-based HTTP client, if any request
+        # uses a custom ca_certs file, they all must (they don't have to
+        # all use the same ca_certs, but it's not possible to mix requests
+        # with ca_certs and requests that use the defaults).
+        # SimpleAsyncHTTPClient does not have this limitation.
         self.validate_cert = validate_cert
         self.ca_certs = ca_certs
         self.start_time = time.time()
@@ -567,7 +572,13 @@ def _curl_setup_request(curl, request, buffer, headers):
     if request.ca_certs is not None:
         curl.setopt(pycurl.CAINFO, request.ca_certs)
     else:
-        curl.unsetopt(pycurl.CAINFO)
+        # There is no way to restore pycurl.CAINFO to its default value
+        # (Using unsetopt makes it reject all certificates).
+        # I don't see any way to read the default value from python so it
+        # can be restored later.  We'll have to just leave CAINFO untouched
+        # if no ca_certs file was specified, and require that if any
+        # request uses a custom ca_certs file, they all must.
+        pass
 
     # Set the request method through curl's retarded interface which makes
     # up names for almost every single method
