Explicitly load default certificates when creating SSL context (httpie#1583)

AdamWill · AdamWill · commit 2eaac7899f28 · 2024-09-06T15:48:33.000-07:00
Requests prior to 2.32.3 always loaded the default (system-wide) set of trusted certificates into custom SSL contexts. 2.32.3 no longer does. This has broken a lot of users, but the fix is moving slowly upstream due to security considerations - see psf/requests#6730 and psf/requests#6731 . As suggested at psf/requests#6710 (comment) this can be worked around by explicitly loading the default certificates into the context. We check the method exists before calling it just to be safe, it was added in Python 3.4. Signed-off-by: Adam Williamson <awilliam@redhat.com>
diff --git a/httpie/ssl_.py b/httpie/ssl_.py
@@ -48,6 +48,13 @@ def __init__(
             ssl_version=ssl_version,
             ciphers=ciphers,
         )
+        # workaround for a bug in requests 2.32.3, see:
+        # https://github.com/httpie/cli/issues/1583
+        if getattr(self._ssl_context, 'load_default_certs', None) is not None:
+            # if load_default_certs is present, get_ca_certs must be
+            # also, no need for another getattr
+            if not self._ssl_context.get_ca_certs():
+                self._ssl_context.load_default_certs()
         super().__init__(**kwargs)
 
     def init_poolmanager(self, *args, **kwargs):
