Release 1.24.2 (#1564)1.24.2release

* Don't load system certificates by default when any other ``ca_certs``, ``ca_certs_dir`` or ``ssl_context`` parameters are specified.
* Remove Authorization header regardless of case when redirecting to cross-site. (Issue #1510)
* Add support for IPv6 addresses in subjectAltName section of certificates. (Issue #1269)

1 files changed, 37 insertions, 0 deletions

diff --git a/test/test_ssl.py b/test/test_ssl.py
index 47359717..6a46b4f3 100644
--- a/test/test_ssl.py
+++ b/test/test_ssl.py
@@ -88,3 +88,40 @@ def test_create_urllib3_context_set_ciphers(monkeypatch, ciphers, expected_ciphe
 
     assert context.set_ciphers.call_count == 1
     assert context.set_ciphers.call_args == mock.call(expected_ciphers)
+
+
+def test_wrap_socket_given_context_no_load_default_certs():
+    context = mock.create_autospec(ssl_.SSLContext)
+    context.load_default_certs = mock.Mock()
+
+    sock = mock.Mock()
+    ssl_.ssl_wrap_socket(sock, ssl_context=context)
+
+    context.load_default_certs.assert_not_called()
+
+
+def test_wrap_socket_given_ca_certs_no_load_default_certs(monkeypatch):
+    context = mock.create_autospec(ssl_.SSLContext)
+    context.load_default_certs = mock.Mock()
+    context.options = 0
+
+    monkeypatch.setattr(ssl_, "SSLContext", lambda *_, **__: context)
+
+    sock = mock.Mock()
+    ssl_.ssl_wrap_socket(sock, ca_certs="/tmp/fake-file")
+
+    context.load_default_certs.assert_not_called()
+    context.load_verify_locations.assert_called_with("/tmp/fake-file", None)
+
+
+def test_wrap_socket_default_loads_default_certs(monkeypatch):
+    context = mock.create_autospec(ssl_.SSLContext)
+    context.load_default_certs = mock.Mock()
+    context.options = 0
+
+    monkeypatch.setattr(ssl_, "SSLContext", lambda *_, **__: context)
+
+    sock = mock.Mock()
+    ssl_.ssl_wrap_socket(sock)
+
+    context.load_default_certs.assert_called_with()