From fd7cf71a17c0382c1d189546d1f52e8d8f1d5212 Mon Sep 17 00:00:00 2001
From: Partha Aji <paji@redhat.com>
Date: Thu, 4 Aug 2022 13:29:18 -0400
Subject: [PATCH] fixes #3036 - Setup the SSL Context correctly for https
 proxies

---
 CHANGES/3036.bugfix          | 1 +
 pulpcore/download/factory.py | 9 +++++++++
 2 files changed, 10 insertions(+)
 create mode 100644 CHANGES/3036.bugfix

diff --git a/CHANGES/3036.bugfix b/CHANGES/3036.bugfix
new file mode 100644
index 0000000000..515e1ba0b2
--- /dev/null
+++ b/CHANGES/3036.bugfix
@@ -0,0 +1 @@
+Fixed setting up of default ssl context if the proxy is https
diff --git a/pulpcore/download/factory.py b/pulpcore/download/factory.py
index 7df150d3eb..b644d63062 100644
--- a/pulpcore/download/factory.py
+++ b/pulpcore/download/factory.py
@@ -107,6 +107,9 @@ def _make_aiohttp_session_from_remote(self):
         sslcontext = None
         if self._remote.ca_cert:
             sslcontext = ssl.create_default_context(cadata=self._remote.ca_cert)
+        elif self._is_remote_proxy_secure():
+            sslcontext = ssl.create_default_context()
+
         if self._remote.client_key and self._remote.client_cert:
             if not sslcontext:
                 sslcontext = ssl.create_default_context()
@@ -123,6 +126,7 @@ def _make_aiohttp_session_from_remote(self):
             sslcontext.check_hostname = False
             sslcontext.verify_mode = ssl.CERT_NONE
         if sslcontext:
+            sslcontext.load_default_certs()
             tcp_conn_opts["ssl_context"] = sslcontext
 
         headers = MultiDict({"User-Agent": DownloaderFactory.user_agent()})
@@ -194,6 +198,8 @@ class to be instantiated.
         """
         options = {"session": self._session}
         if self._remote.proxy_url:
+            if self._is_remote_proxy_secure():
+                setattr(asyncio.sslproto._SSLProtocolTransport, "_start_tls_compatible", True)
             options["proxy"] = self._remote.proxy_url
             if self._remote.proxy_username and self._remote.proxy_password:
                 options["proxy_auth"] = aiohttp.BasicAuth(
@@ -225,3 +231,6 @@ class to be instantiated.
             is configured with the remote settings.
         """
         return download_class(url, **kwargs)
+
+    def _is_remote_proxy_secure(self):
+        return self._remote.proxy_url and urlparse(self._remote.proxy_url).scheme == "https"