Explicitly load default certificates when creating SSL context (httpie#1583)

AdamWill · AdamWill · commit eb7a56f0aa6c · 2024-09-03T17:05:04.000-07:00
Requests prior to 2.32.3 always loaded the default (system-wide) set of trusted certificates into custom SSL contexts. 2.32.3 no longer does. This has broken a lot of users, but the fix is moving slowly upstream due to security considerations - see psf/requests#6730 and psf/requests#6731 . As suggested at psf/requests#6710 (comment) this can be worked around by explicitly loading the default certificates into the context. We check the method exists before calling it just to be safe, but I'm pretty sure it's been there as long as this interface has existed. Signed-off-by: Adam Williamson <awilliam@redhat.com>
diff --git a/httpie/ssl_.py b/httpie/ssl_.py
@@ -48,6 +48,8 @@ def __init__(
             ssl_version=ssl_version,
             ciphers=ciphers,
         )
+        if getattr(self._ssl_context, 'load_default_certs', None) is not None:
+            self._ssl_context.load_default_certs()
         super().__init__(**kwargs)
 
     def init_poolmanager(self, *args, **kwargs):

Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,8 @@ def __init__(`
`48`	`48`	`ssl_version=ssl_version,`
`49`	`49`	`ciphers=ciphers,`
`50`	`50`	`)`
	`51`	`+ if getattr(self._ssl_context, 'load_default_certs', None) is not None:`
	`52`	`+ self._ssl_context.load_default_certs()`
`51`	`53`	`super().__init__(**kwargs)`
`52`	`54`
`53`	`55`	`def init_poolmanager(self, args, *kwargs):`