Incompatibility with requests 2.32.3 - custom SSLContext via a Transport Adapter

[pc-coholic]

This might be a false positive - but from preliminary experimentation, it seems like a recent change in requests might cause issues with requests_pkcs12.

With requests 2.32.0, a breaking change was introduced that returned every call with that involved requests_pkcs12 with SSLContext via a Transport Adapter.

requests 2.32.3 (still unreleased as of right now, apparently scheduled for Tuesday) aims to fix this issue (Allow for overriding of specific pool key params #6716), but now all calls involving requests_pkcs12 fail with SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate for me.

I'll try to dig a little deeper and see if this is indeed something that requires changes here - I just wanted to provide a heads-up in case 2.32.3 is indeed shipping a breaking change.

Minimal example:

import requests
from requests_pkcs12 import Pkcs12Adapter

client = requests.Session()
client.mount(
    'https://some.system/',
    Pkcs12Adapter(
        pkcs12_data=self.cert.read(),
        pkcs12_password=self.cert_password,
)

client.get('https://some.system/foo/bar')

HTTPSConnectionPool(host='some.system', port=443): Max retries exceeded with url: /foo/bar (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))

[pc-coholic]

This issue is now being hopefully fixed in https://github.com/psf/requests/pull/6731

A very quick fix would be to follow https://github.com/mikf/gallery-dl/commit/6cfbc1071fd88ed94776aa6f81f1582cda7fa5ab suit and place this within _create_sslcontext(). But since an update for requests is probably imminent, we could also just close this issue and wait for the issue to disappear by itself :-)

[vog]

Ok

[prontsevychev]

@vog Sorry, but this problem is still current with requests 2.32.0:

Could you reopen it?

[dbaumgarten]

Hi, the issue still persists with requests 2.32.3. I think this issue should be reopened

[vog]

Ok, reopened. Pull requests are welcome.

[pc-coholic]

@vog I'll be happy to provide a one-line pull request to fix the issue.

But I was wondering if you'd prefer putting in a workaround (which will be superfluous once 2.32.4 is released/the above linked PR is merged) or just wait for said PR to land in requests....

[vog]

Never mind, we quickly added the fix of

• https://github.com/mikf/gallery-dl/commit/6cfbc1071fd88ed94776aa6f81f1582cda7fa5ab

on our own, and released requests_pkcs12 version 1.25:

• https://pypi.org/project/requests-pkcs12/

Our local test suite runs fine with it.

Please check whether this solves the issue for you as well.

[pc-coholic]

Works for me, was exactly what I was experimenting with, too :)

[vog]

Thanks for your quick feedback. :+1:

[vog]

Leaving this issue open as a reminder to revert that workaround as soon as

• requests 2.32.4 is released, and
• we verified that "make check" works fine with the reverted workaround