allow to disable TLS certificate verification

arangodb · Apr 13, 2022 · daf384e · daf384e
1 parent b69a0df
commit daf384e
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 1 deletion.
diff --git a/arango/client.py b/arango/client.py
@@ -20,7 +20,6 @@
 )
 from arango.version import version
 
-
 class ArangoClient:
     """ArangoDB client.
 
@@ -45,6 +44,8 @@ class ArangoClient:
         the de-serialized object. If not given, ``json.loads`` is used by
         default.
     :type deserializer: callable
+    :param verify_certificate: Verify TLS certificates.
+    :type verify_certificate: bool
     """
 
     def __init__(
@@ -55,6 +56,7 @@ def __init__(
         http_client: Optional[HTTPClient] = None,
         serializer: Callable[..., str] = lambda x: dumps(x),
         deserializer: Callable[[str], Any] = lambda x: loads(x),
+        verify_certificate: bool = True,
     ) -> None:
         if isinstance(hosts, str):
             self._hosts = [host.strip("/") for host in hosts.split(",")]
@@ -75,6 +77,10 @@ def __init__(
         self._serializer = serializer
         self._deserializer = deserializer
         self._sessions = [self._http.create_session(h) for h in self._hosts]
+
+        # set flag for SSL/TLS certificate verification
+        for session in self._sessions:
+            session.verify = verify_certificate
 
     def __repr__(self) -> str:
         return f"<ArangoClient {','.join(self._hosts)}>"
@@ -110,6 +116,7 @@ def db(
         verify: bool = False,
         auth_method: str = "basic",
         superuser_token: Optional[str] = None,
+        verify_certificate: bool = True,
     ) -> StandardDatabase:
         """Connect to an ArangoDB database and return the database API wrapper.
 
@@ -130,6 +137,8 @@ def db(
             If set, parameters **username**, **password** and **auth_method**
             are ignored. This token is not refreshed automatically.
         :type superuser_token: str
+        :param verify_certificate: Verify TLS certificates.
+        :type verify_certificate: bool
         :return: Standard database API wrapper.
         :rtype: arango.database.StandardDatabase
         :raise arango.exceptions.ServerConnectionError: If **verify** was set

diff --git a/docs/certificates.rst b/docs/certificates.rst
@@ -0,0 +1,30 @@
+TLS certificate verification
+----------------------------
+
+When connecting against a server using an https/TLS connection, TLS certificates
+are verified by default.
+By default, self-signed certificates will cause trouble when connecting.
+
+.. code-block:: python
+
+    client = ArangoClient(hosts="https://localhost:8529")
+
+In order to make connections work even when using self-signed certificates, the
+`verify_certificates` option can be disabled when creating the `ArangoClient`
+instance:
+
+.. code-block:: python
+
+    client = ArangoClient(hosts="https://localhost:8529", verify_certificate=False)
+
+This will allow connecting, but the underlying `urllib3` library may still issue
+warnings due to the insecurity of using self-signed certificates.
+
+To turn off these warnings as well, you can add the following code to your client
+application:
+
+.. code-block:: python
+
+    import requests
+    requests.packages.urllib3.disable_warnings() 
+