Support SSL_CERT_FILE and SSL_CERT_DIR env vars

Python PEP 476 (Enabling certificate verification by default for stdlib http clients) recommends the use of SSL_CERT_FILE and SSL_CERT_DIR environment variables to point the OpenSSL library used by Python to use specific non-default bundle of trusted CA certificates. https://www.python.org/dev/peps/pep-0476/#trust-database These variables could not have been used to point scripts using requests to a different CA bundle. A different variable, REQUESTS_CA_BUNDLE, is read by requests. CURL_CA_BUNDLE is also used for compatibility with cURL. This commit makes requests also look at SSL_CERT_FILE and SSL_CERT_DIR. They are handled as equivalent to REQUESTS_CA_BUNDLE. As REQUESTS_CA_BUNDLE can point to either certificate file or certificate directory, SSL_CERT_* can also point to a file or directory. There's no attempt to ensure SSL_CERT_FILE can only point to a file and SSL_CERT_DIR to a directory. This is similar to how CURL_CA_BUNDLE is handled - requests allows it to specify certificate directory, while cURL only allows it to specify certificate file. Fixes requests issue #2899: https://github.com/kennethreitz/requests/issues/2899
2026-06-05 22:50:18 +00:00 · 2015-11-26 22:31:46 +01:00
parent 6cfe6e775f
commit 0c14e84c82
1 changed files with 5 additions and 3 deletions
@@ -618,11 +618,13 @@ class Session(SessionRedirectMixin):
            for (k, v) in env_proxies.items():
                proxies.setdefault(k, v)

-            # Look for requests environment configuration and be compatible
-            # with cURL.
+            # Look for requests CA_BUNDLE configuration in the environment. Be
+            # compatible with cURL and PEP 476 / OpenSSL.
            if verify is True or verify is None:
                verify = (os.environ.get('REQUESTS_CA_BUNDLE') or
-                          os.environ.get('CURL_CA_BUNDLE'))
+                          os.environ.get('CURL_CA_BUNDLE') or
+                          os.environ.get('SSL_CERT_FILE') or
+                          os.environ.get('SSL_CERT_DIR'))

        # Merge all the kwargs.
        proxies = merge_setting(proxies, self.proxies)