Use "verify_ssl_cert=True" as a default on the CrateDB HTTP client

amotl · amotl · commit 757e950cb2d8 · 2021-03-16T11:44:58.000+01:00
Recently, this has been made a default on the CrateDB connection
object, but apparently it has been missed to also flip the switch on
this end.

Also, adjust the respective doctests accordingly.
diff --git a/src/crate/client/doctests/https.txt b/src/crate/client/doctests/https.txt
@@ -1,22 +1,21 @@
 .. _https_connection:
 
 ========================
-HTTPS Connection support
+HTTPS connection support
 ========================
 
-The CrateDB Client is able to connect via https.
+The CrateDB client is able to connect via HTTPS.
 
-.. note::
+A check against a specific CA certificate can be made by creating the client
+with the path to the CA certificate file using the keyword argument
+``ca_cert``.
 
-    By default, ssl server certificates are **NOT** verified.
+.. note::
 
-To enable verification, use the keyword argument ``verify_ssl_cert``.
-If it is set to ``True``, the server certificate is validated, if set to
-``False`` or ommitted, no verification will be done whatsoever.
+    By default, SSL server certificates are verified. To disable verification,
+    use the keyword argument ``verify_ssl_cert``. If it is set to ``False``,
+    server certificate validation will be skipped.
 
-One can check against a single CA certificate
-by creating the client with the a path to a CA certificate file to check against
-in keyword argument ``ca_cert``.
 
 .. rubric:: Table of Contents
 
@@ -26,45 +25,44 @@ in keyword argument ``ca_cert``.
 Examples
 --------
 
-By default, certificates are not verified. This call is against a server with
-a self signed certificate::
-
-    >>> http_client = HttpClient([crate_host])
-    >>> http_client.server_infos(http_client._get_server())
-    ('https://localhost:65534', 'test', '0.0.0')
-
 When switching on verification without a ``ca_cert`` file provided, the
-connection will fail::
+connection will fail because we are using a self-signed server certificate::
 
-    >>> verifying_client = HttpClient([crate_host], verify_ssl_cert=True)
+    >>> verifying_client = HttpClient([crate_host])
     >>> verifying_client.server_infos(crate_host)
     Traceback (most recent call last):
     ...
     crate.client.exceptions.ConnectionError: Server not available, ...certificate verify failed...
 
-Also when providing an invalid ``ca_cert`` an error is raised::
+Also, when providing an invalid ``ca_cert`` an error is raised::
 
-    >>> verifying_client = HttpClient([crate_host], ca_cert=invalid_ca_cert, verify_ssl_cert=True)
+    >>> verifying_client = HttpClient([crate_host], ca_cert=invalid_ca_cert)
     >>> verifying_client.server_infos(crate_host)
     Traceback (most recent call last):
     ...
     crate.client.exceptions.ConnectionError: Server not available, ...certificate verify failed...
 
-Without verification, the given ``ca_cert`` is ignored and the connection will be
-established, to Eves satisfaction.
+Connecting to a host whose certificate is verified with a valid CA certificate::
+
+    >>> verifying_valid_client = HttpClient([crate_host], ca_cert=valid_ca_cert)
+    >>> verifying_valid_client.server_infos(verifying_valid_client._get_server())
+    ('https://localhost:65534', 'test', '0.0.0')
 
-    >>> non_verifying_client = HttpClient([crate_host], ca_cert=invalid_ca_cert, verify_ssl_cert=False)
+When turning off certificate verification, calling the server will succeed::
+
+    >>> non_verifying_client = HttpClient([crate_host], verify_ssl_cert=False)
     >>> non_verifying_client.server_infos(crate_host)
     ('https://localhost:65534', 'test', '0.0.0')
 
-Connecting to a host whose certificate is verified with a valid CA certificate::
+Without verification, calling the server will even work when using an invalid
+``ca_cert``::
 
-    >>> verifying_valid_client = HttpClient([crate_host], ca_cert=valid_ca_cert, verify_ssl_cert=True)
-    >>> verifying_valid_client.server_infos(verifying_valid_client._get_server())
+    >>> non_verifying_client = HttpClient([crate_host], verify_ssl_cert=False, ca_cert=invalid_ca_cert)
+    >>> non_verifying_client.server_infos(crate_host)
     ('https://localhost:65534', 'test', '0.0.0')
 
 
-Client Certificate
+Client certificate
 ------------------
 
 The client supports client certificates.
@@ -73,12 +71,11 @@ The ``HttpClient`` constructor takes two keyword arguments: ``cert_file`` and
 ``key_file``. Both should be a string pointing to the path of the client
 certificate and key file.
 
-Below an example, in this case it fails because the supplied certificate is
+This example uses that options, however it fails because the certificate is
 invalid::
 
-    >>> client = HttpClient([crate_host], cert_file=invalid_ca_cert, key_file=invalid_ca_cert, verify_ssl_cert=True)
+    >>> client = HttpClient([crate_host], cert_file=invalid_ca_cert, key_file=invalid_ca_cert, timeout=10)
     >>> client.server_infos(crate_host)
     Traceback (most recent call last):
     ...
     crate.client.exceptions.ConnectionError: Server not available, exception: ...[SSL: ...
-
diff --git a/src/crate/client/http.py b/src/crate/client/http.py
@@ -312,7 +312,7 @@ def _get_socket_opts(keepalive=True,
 
 class Client(object):
     """
-    Crate connection client using crate's HTTP API.
+    Crate connection client using CrateDB's HTTP API.
     """
 
     SQL_PATH = '/_sql'
@@ -328,7 +328,7 @@ def __init__(self,
                  servers=None,
                  timeout=None,
                  backoff_factor=0,
-                 verify_ssl_cert=False,
+                 verify_ssl_cert=True,
                  ca_cert=None,
                  error_trace=False,
                  cert_file=None,
