Explicitly load default certificates when creating SSL context (httpi…

…e#1583) Requests prior to 2.32.3 always loaded the default (system-wide) set of trusted certificates into custom SSL contexts. 2.32.3 no longer does. This has broken a lot of users, but the fix is moving slowly upstream due to security considerations - see psf/requests#6730 and psf/requests#6731 . As suggested at psf/requests#6710 (comment) this can be worked around by explicitly loading the default certificates into the context. We check the method exists before calling it just to be safe, but I'm pretty sure it's been there as long as this interface has existed. Signed-off-by: Adam Williamson <awilliam@redhat.com>
AdamWill · Sep 4, 2024 · 6a0e0aa · 6a0e0aa
1 parent f4cf43e
commit 6a0e0aa
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/httpie/ssl_.py b/httpie/ssl_.py
@@ -48,6 +48,10 @@ def __init__(
             ssl_version=ssl_version,
             ciphers=ciphers,
         )
+        # workaround for a bug in requests 2.32.3, see:
+        # https://github.com/httpie/cli/issues/1583
+        if getattr(self._ssl_context, 'load_default_certs', None) is not None:
+            self._ssl_context.load_default_certs()
         super().__init__(**kwargs)
 
     def init_poolmanager(self, *args, **kwargs):