Explicitly load default certificates when creating SSL context (#1583) (

#1596)

* Explicitly load default certificates when creating SSL context (#1583)

Requests prior to 2.32.3 always loaded the default (system-wide)
set of trusted certificates into custom SSL contexts. 2.32.3 no
longer does. This has broken a lot of users, but the fix is
moving slowly upstream due to security considerations - see
psf/requests#6730 and
psf/requests#6731 .

As suggested at
psf/requests#6710 (comment)
this can be worked around by explicitly loading the default
certificates into the context. We check the method exists before
calling it just to be safe, it was added in Python 3.4.

Signed-off-by: Adam Williamson <awilliam@redhat.com>

* Drop the upper bound on the requests dependency again

As we can now work with requests 2.32.3+, we no longer need this
pin.

Signed-off-by: Adam Williamson <awilliam@redhat.com>

---------

Signed-off-by: Adam Williamson <awilliam@redhat.com>

httpie/ssl_.py

@@ -48,6 +48,13 @@ def __init__(
             ssl_version=ssl_version,
             ciphers=ciphers,
         )
+        # workaround for a bug in requests 2.32.3, see:
+        # https://github.com/httpie/cli/issues/1583
+        if getattr(self._ssl_context, 'load_default_certs', None) is not None:
+            # if load_default_certs is present, get_ca_certs must be
+            # also, no need for another getattr
+            if not self._ssl_context.get_ca_certs():
+                self._ssl_context.load_default_certs()
         super().__init__(**kwargs)
 
     def init_poolmanager(self, *args, **kwargs):

setup.cfg

@@ -50,7 +50,7 @@ install_requires =
     pip
     charset_normalizer>=2.0.0
     defusedxml>=0.6.0
-    requests[socks] >=2.22.0, <=2.31.0
+    requests[socks] >=2.22.0
     Pygments>=2.5.2
     requests-toolbelt>=0.9.1
     multidict>=4.7.0