Support self-signed SSL certificates

[mik-laj]

Hello,

I would like to add support for self-signed SSL certificates. Requests can ignore verifying the SSL certificate if we set verify to False: Unfortunately, in this library, it is not possible due to one incorrect condition in if-statement.
https://requests.readthedocs.io/en/master/user/advanced/#ssl-cert-verification
This is what I need to work on integration testing for Kerberos + Presto. I currently have a prepared environment.
https://github.com/mik-laj/presto-kerberos-docker
In the next step, I would like to integrate it with Apache Airflow.

Question for the project maintainer:
Would you like to use this environment in your CI/CD as well to test authorizations with Kerberos? Currently, they are very easy to configure. Just call start.sh and a full environment in Docker will be set up.

Best regards,
Kamil

[cla-bot]

Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please submit the signed CLA to cla@prestosql.io. For more information, see https://github.com/prestosql/cla.

[findepi]

Is your intention to have _ca_bundle=False here so that http_session.verify will be set to False?

[mik-laj]

Yes. Exactly.

[findepi]

I am not sure this is an intuitive API

[mik-laj]

What do you propose in return? Will it add a new parameter that will be mutually exclusive with ca_bundle?

[hashhar]

Does something like how PostgreSQL (and others) construct their URLs make sense? i.e. ?ssl=true&sslmode=verify&sslcert=cert.crt

ssl (http/https) and sslcert (ca bundle) are already there.
sslmode can be introduced as a new parameter.

[findepi]

This is what I need to work on integration testing for Kerberos + Presto. I currently have a prepared environment.
https://github.com/mik-laj/presto-kerberos-docker
In the next step, I would like to integrate it with Apache Airflow.

Question for the project maintainer:
Would you like to use this environment in your CI/CD as well to test authorizations with Kerberos? Currently, they are very easy to configure. Just call start.sh and a full environment in Docker will be set up.

This is definitely interesting!

Let's start a new issue about this and we will exchange thoughts there.

[findepi]

@mik-laj @dongwoo1005 how this relates to #31 ?

[mik-laj]

@mik-laj @dongwoo1005 how this relates to #31 ?

I think this is fine for me, but the confusing thing is that you can configure SSL validation in two ways:

• using ca_bundle: in auth
• using verify in client.

[findepi]

Indeed, this might be confusing, but there might be a reason for that. @electrum can you comment?