make sure internal ssl works with pycurl

and include it in tests!
2025-10-07 01:54:09 +00:00 · 2025-10-06 08:09:30 -07:00
parent a15656c1cf
commit a3e642150e
4 changed files with 24 additions and 19 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -173,7 +173,7 @@ jobs:
            # make sure our `>=` pins really do express our minimum supported versions
            pip install -r ci/oldest-dependencies/requirements.old -e .
          else
-            pip install --pre -e ".[test]"
+            pip install --pre -e ".[test]" pycurl
          fi

          if [ "${{ matrix.main_dependencies }}" != "" ]; then
--- a/jupyterhub/app.py
+++ b/jupyterhub/app.py
@@ -1984,14 +1984,15 @@ class JupyterHub(Application):

            # Configure the AsyncHTTPClient. This will affect anything using
            # AsyncHTTPClient.
-            ssl_context = make_ssl_context(
-                self.internal_ssl_key,
-                self.internal_ssl_cert,
-                cafile=self.internal_ssl_ca,
-            )
+            # can't use ssl_options in case of pycurl
            AsyncHTTPClient.configure(
                AsyncHTTPClient.configured_class(),
-                defaults={"ssl_options": ssl_context},
+                defaults=dict(
+                    ca_certs=self.internal_ssl_ca,
+                    client_key=self.internal_ssl_key,
+                    client_cert=self.internal_ssl_cert,
+                    validate_cert=True,
+                ),
            )

    def init_db(self):
--- a/jupyterhub/singleuser/extension.py
+++ b/jupyterhub/singleuser/extension.py
@@ -47,7 +47,6 @@ from jupyterhub.utils import (
    _bool_env,
    exponential_backoff,
    isoformat,
-    make_ssl_context,
    url_path_join,
 )

@@ -325,13 +324,15 @@ class JupyterHubSingleUser(ExtensionApp):

    @default('hub_http_client')
    def _default_client(self):
-        ssl_context = make_ssl_context(
-            self.hub_auth.keyfile,
-            self.hub_auth.certfile,
-            cafile=self.hub_auth.client_ca,
-        )
+        # can't use ssl_options in case of pycurl
        AsyncHTTPClient.configure(
-            AsyncHTTPClient.configured_class(), defaults={"ssl_options": ssl_context}
+            AsyncHTTPClient.configured_class(),
+            defaults=dict(
+                ca_certs=self.client_ca,
+                client_key=self.keyfile,
+                client_cert=self.certfile,
+                validate_cert=True,
+            ),
        )
        return AsyncHTTPClient()

--- a/jupyterhub/singleuser/mixins.py
+++ b/jupyterhub/singleuser/mixins.py
@@ -49,7 +49,6 @@ from ..utils import (
    _bool_env,
    exponential_backoff,
    isoformat,
-    make_ssl_context,
    url_path_join,
 )
 from ._decorator import allow_unauthenticated
@@ -403,11 +402,15 @@ class SingleUserNotebookAppMixin(Configurable):

    @default('hub_http_client')
    def _default_client(self):
-        ssl_context = make_ssl_context(
-            self.keyfile, self.certfile, cafile=self.client_ca
-        )
+        # can't use ssl_options in case of pycurl
        AsyncHTTPClient.configure(
-            AsyncHTTPClient.configured_class(), defaults={"ssl_options": ssl_context}
+            AsyncHTTPClient.configured_class(),
+            defaults=dict(
+                ca_certs=self.client_ca,
+                client_key=self.keyfile,
+                client_cert=self.certfile,
+                validate_cert=True,
+            ),
        )
        return AsyncHTTPClient()