From eb7a56f0aa6c25632e4037d3fb8d0b5c657499ab Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Tue, 3 Sep 2024 16:58:01 -0700
Subject: [PATCH] Explicitly load default certificates when creating SSL
 context (#1583)

Requests prior to 2.32.3 always loaded the default (system-wide)
set of trusted certificates into custom SSL contexts. 2.32.3 no
longer does. This has broken a lot of users, but the fix is
moving slowly upstream due to security considerations - see
https://github.com/psf/requests/issues/6730 and
https://github.com/psf/requests/pull/6731 .

As suggested at
https://github.com/psf/requests/pull/6710#issuecomment-2137802782
this can be worked around by explicitly loading the default
certificates into the context. We check the method exists before
calling it just to be safe, but I'm pretty sure it's been there
as long as this interface has existed.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
 httpie/ssl_.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/httpie/ssl_.py b/httpie/ssl_.py
index af5ca548db..40f075acf8 100644
--- a/httpie/ssl_.py
+++ b/httpie/ssl_.py
@@ -48,6 +48,8 @@ def __init__(
             ssl_version=ssl_version,
             ciphers=ciphers,
         )
+        if getattr(self._ssl_context, 'load_default_certs', None) is not None:
+            self._ssl_context.load_default_certs()
         super().__init__(**kwargs)
 
     def init_poolmanager(self, *args, **kwargs):