From d9af575a73280c7b2b897fafb239b508799d6566 Mon Sep 17 00:00:00 2001
From: Chris Hunt <chrahunt@gmail.com>
Date: Sat, 7 Dec 2019 22:52:53 -0500
Subject: [PATCH 1/2] Wrap HAS_TLS in a function

Next we'll refactor the value to be computed lazily.
---
 src/pip/_internal/models/search_scope.py | 4 ++--
 src/pip/_internal/network/session.py     | 4 ++--
 src/pip/_internal/utils/compat.py        | 5 +++++
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/pip/_internal/models/search_scope.py b/src/pip/_internal/models/search_scope.py
index 6e387068b63..45d6b557ead 100644
--- a/src/pip/_internal/models/search_scope.py
+++ b/src/pip/_internal/models/search_scope.py
@@ -10,7 +10,7 @@
 from pip._vendor.six.moves.urllib import parse as urllib_parse
 
 from pip._internal.models.index import PyPI
-from pip._internal.utils.compat import HAS_TLS
+from pip._internal.utils.compat import has_tls
 from pip._internal.utils.misc import normalize_path, redact_auth_from_url
 from pip._internal.utils.typing import MYPY_CHECK_RUNNING
 
@@ -52,7 +52,7 @@ def create(
 
         # If we don't have TLS enabled, then WARN if anyplace we're looking
         # relies on TLS.
-        if not HAS_TLS:
+        if not has_tls():
             for link in itertools.chain(index_urls, built_find_links):
                 parsed = urllib_parse.urlparse(link)
                 if parsed.scheme == 'https':
diff --git a/src/pip/_internal/network/session.py b/src/pip/_internal/network/session.py
index 8eb4d88349c..2f980bf9ab8 100644
--- a/src/pip/_internal/network/session.py
+++ b/src/pip/_internal/network/session.py
@@ -26,7 +26,7 @@
 from pip._internal.network.auth import MultiDomainBasicAuth
 from pip._internal.network.cache import SafeFileCache
 # Import ssl from compat so the initial import occurs in only one place.
-from pip._internal.utils.compat import HAS_TLS, ipaddress, ssl
+from pip._internal.utils.compat import has_tls, ipaddress, ssl
 from pip._internal.utils.filesystem import check_path_owner
 from pip._internal.utils.glibc import libc_ver
 from pip._internal.utils.misc import (
@@ -153,7 +153,7 @@ def user_agent():
     if platform.machine():
         data["cpu"] = platform.machine()
 
-    if HAS_TLS:
+    if has_tls():
         data["openssl_version"] = ssl.OPENSSL_VERSION
 
     setuptools_version = get_installed_version("setuptools")
diff --git a/src/pip/_internal/utils/compat.py b/src/pip/_internal/utils/compat.py
index 26f6b0ea5d7..aa07628d70a 100644
--- a/src/pip/_internal/utils/compat.py
+++ b/src/pip/_internal/utils/compat.py
@@ -85,6 +85,11 @@ def backslashreplace_decode_fn(err):
     backslashreplace_decode = "backslashreplace"
 
 
+def has_tls():
+    # type: () -> bool
+    return HAS_TLS
+
+
 def str_to_display(data, desc=None):
     # type: (Union[bytes, Text], Optional[str]) -> Text
     """

From 9eee2171c468e87e13cd9b17300ce24779918156 Mon Sep 17 00:00:00 2001
From: Chris Hunt <chrahunt@gmail.com>
Date: Sat, 7 Dec 2019 22:58:17 -0500
Subject: [PATCH 2/2] Lazy evaluate has_tls result

This avoids an unnecessary unconditional import of ssl and urllib3 in
compat.
---
 src/pip/_internal/network/session.py |  3 ++-
 src/pip/_internal/utils/compat.py    | 20 ++++++++------------
 2 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/src/pip/_internal/network/session.py b/src/pip/_internal/network/session.py
index 2f980bf9ab8..2d208cb65c3 100644
--- a/src/pip/_internal/network/session.py
+++ b/src/pip/_internal/network/session.py
@@ -26,7 +26,7 @@
 from pip._internal.network.auth import MultiDomainBasicAuth
 from pip._internal.network.cache import SafeFileCache
 # Import ssl from compat so the initial import occurs in only one place.
-from pip._internal.utils.compat import has_tls, ipaddress, ssl
+from pip._internal.utils.compat import has_tls, ipaddress
 from pip._internal.utils.filesystem import check_path_owner
 from pip._internal.utils.glibc import libc_ver
 from pip._internal.utils.misc import (
@@ -154,6 +154,7 @@ def user_agent():
         data["cpu"] = platform.machine()
 
     if has_tls():
+        import _ssl as ssl
         data["openssl_version"] = ssl.OPENSSL_VERSION
 
     setuptools_version = get_installed_version("setuptools")
diff --git a/src/pip/_internal/utils/compat.py b/src/pip/_internal/utils/compat.py
index aa07628d70a..d347b73d98d 100644
--- a/src/pip/_internal/utils/compat.py
+++ b/src/pip/_internal/utils/compat.py
@@ -14,21 +14,12 @@
 import sys
 
 from pip._vendor.six import PY2, text_type
-from pip._vendor.urllib3.util import IS_PYOPENSSL
 
 from pip._internal.utils.typing import MYPY_CHECK_RUNNING
 
 if MYPY_CHECK_RUNNING:
     from typing import Optional, Text, Tuple, Union
 
-try:
-    import _ssl  # noqa
-except ImportError:
-    ssl = None
-else:
-    # This additional assignment was needed to prevent a mypy error.
-    ssl = _ssl
-
 try:
     import ipaddress
 except ImportError:
@@ -48,8 +39,6 @@
 
 logger = logging.getLogger(__name__)
 
-HAS_TLS = (ssl is not None) or IS_PYOPENSSL
-
 if PY2:
     import imp
 
@@ -87,7 +76,14 @@ def backslashreplace_decode_fn(err):
 
 def has_tls():
     # type: () -> bool
-    return HAS_TLS
+    try:
+        import _ssl  # noqa: F401  # ignore unused
+        return True
+    except ImportError:
+        pass
+
+    from pip._vendor.urllib3.util import IS_PYOPENSSL
+    return IS_PYOPENSSL
 
 
 def str_to_display(data, desc=None):