Skip to content

requests should ignore REQUESTS_CA_BUNDLE when session.verify is False #5921

New issue
New issue
Closed
#5922
Closed
requests should ignore REQUESTS_CA_BUNDLE when session.verify is False#5921
#5922
Labels
Breaking API ChangeBug
@brmzkw

Description

@brmzkw
brmzkw
opened on Sep 1, 2021

The argument session.verify set to False is ignored when the environment variable REQUESTS_CA_BUNDLE is set.

Reproduction Steps

✅ empty REQUESTS_CA_BUNDLE and session.verify = True : exception is raised

$> REQUESTS_CA_BUNDLE= python -c 'import requests; session = requests.Session(); session.verify = True; session.get("https://expired.badssl.com")' ... requests.exceptions.SSLError: HTTPSConnectionPool(host='expired.badssl.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1131)')))

✅ empty REQUESTS_CA_BUNDLE and session.verify = False: no exception raised

$> REQUESTS_CA_BUNDLE= python -c 'import requests; session = requests.Session(); session.verify = False; session.get("https://expired.badssl.com")'

REQUESTS_CA_BUNDLE is invalid, and no verify is given to requests.get (defaults to True): exception is raised because REQUESTS_CA_BUNDLE is invalid

$> REQUESTS_CA_BUNDLE=invalid python -c 'import requests; requests.get("https://expired.badssl.com")' ... OSError: Could not find a suitable TLS CA certificate bundle, invalid path: invalid

REQUESTS_CA_BUNDLE is invalid and verify=False is given to requests.get: no exception raised

$> REQUESTS_CA_BUNDLE=invalid python -c 'import requests; requests.get("https://expired.badssl.com", verify=False)'

REQUESTS_CA_BUNDLE is invalid and session.verify = True : exception is raised

$> REQUESTS_CA_BUNDLE=invalid python -c 'import requests; session = requests.Session(); session.verify = True; session.get("https://expired.badssl.com")' ... OSError: Could not find a suitable TLS CA certificate bundle, invalid path: invalid

REQUESTS_CA_BUNDLE is invalid and session.verify = False : exception is raised

$> REQUESTS_CA_BUNDLE=invalid python -c 'import requests; session = requests.Session(); session.verify = False; session.get("https://expired.badssl.com")' ... OSError: Could not find a suitable TLS CA certificate bundle, invalid path: invalid

The problem comes from

requests/requests/sessions.py

Line 717 in b0e025a

if verify is True or verify is None:
which ignores the value of self.verify.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Breaking API ChangeBug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions