Skip to content

Commit 0385fa2

Browse files
committed
PYTHON-5040 Only use PROTOCOL_TLS_CLIENT in http_post on macOS
1 parent 637ce77 commit 0385fa2

2 files changed

Lines changed: 20 additions & 12 deletions

File tree

test/asynchronous/test_encryption.py

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3045,12 +3045,16 @@ async def asyncSetUp(self):
30453045
async def http_post(self, path, data=None):
30463046
# Note, the connection to the mock server needs to be closed after
30473047
# each request because the server is single threaded.
3048-
# Use PROTOCOL_TLS_CLIENT instead of create_default_context so that
3049-
# X509_V_FLAG_X509_STRICT is not set. Python 3.14 enables strict mode
3050-
# in create_default_context, which requires SKI on the root CA cert.
3051-
# We intentionally omit SKI from the CA cert to prevent macOS SecTrust
3052-
# from triggering OCSP revocation checks during MongoDB server startup.
3053-
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3048+
if sys.platform == "darwin":
3049+
# macOS: use PROTOCOL_TLS_CLIENT instead of create_default_context
3050+
# so that X509_V_FLAG_X509_STRICT is not set. Python 3.14 enables
3051+
# strict mode in create_default_context, which requires SKI on the
3052+
# root CA cert. We intentionally omit SKI from the CA cert to
3053+
# prevent macOS SecTrust from triggering OCSP revocation checks
3054+
# during MongoDB server startup.
3055+
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3056+
else:
3057+
ctx = ssl.create_default_context()
30543058
ctx.load_verify_locations(cafile=CA_PEM)
30553059
ctx.load_cert_chain(CLIENT_PEM)
30563060
conn = http.client.HTTPSConnection("127.0.0.1:9003", context=ctx)

test/test_encryption.py

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3027,12 +3027,16 @@ def setUp(self):
30273027
def http_post(self, path, data=None):
30283028
# Note, the connection to the mock server needs to be closed after
30293029
# each request because the server is single threaded.
3030-
# Use PROTOCOL_TLS_CLIENT instead of create_default_context so that
3031-
# X509_V_FLAG_X509_STRICT is not set. Python 3.14 enables strict mode
3032-
# in create_default_context, which requires SKI on the root CA cert.
3033-
# We intentionally omit SKI from the CA cert to prevent macOS SecTrust
3034-
# from triggering OCSP revocation checks during MongoDB server startup.
3035-
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3030+
if sys.platform == "darwin":
3031+
# macOS: use PROTOCOL_TLS_CLIENT instead of create_default_context
3032+
# so that X509_V_FLAG_X509_STRICT is not set. Python 3.14 enables
3033+
# strict mode in create_default_context, which requires SKI on the
3034+
# root CA cert. We intentionally omit SKI from the CA cert to
3035+
# prevent macOS SecTrust from triggering OCSP revocation checks
3036+
# during MongoDB server startup.
3037+
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3038+
else:
3039+
ctx = ssl.create_default_context()
30363040
ctx.load_verify_locations(cafile=CA_PEM)
30373041
ctx.load_cert_chain(CLIENT_PEM)
30383042
conn = http.client.HTTPSConnection("127.0.0.1:9003", context=ctx)

0 commit comments

Comments
 (0)