2.32.3 does not load system CA certificates when using an Adapter

[WhyNotHugo]

Given this snippet:

from requests.adapters import HTTPAdapter
from requests import Session
from urllib3 import PoolManager
from urllib3 import ProxyManager
from urllib3.util.ssl_ import create_urllib3_context


class AFIPAdapter(HTTPAdapter):
    """An adapter with reduced security so it'll work with AFIP."""

    def init_poolmanager(self, *args, **kwargs) -> PoolManager:
        context = create_urllib3_context(ciphers="AES128-SHA")
        # context.load_default_certs()
        kwargs["ssl_context"] = context
        return super().init_poolmanager(*args, **kwargs)

    def proxy_manager_for(self, *args, **kwargs) -> ProxyManager:
        context = create_urllib3_context(ciphers="AES128-SHA")
        # context.load_default_certs()
        kwargs["ssl_context"] = context
        return super().proxy_manager_for(*args, **kwargs)


session = Session()
session.mount("https://servicios1.afip.gov.ar", AFIPAdapter())
session.get("https://servicios1.afip.gov.ar/wsfev1/service.asmx?WSDL")

On requests==2.31.0, this works fine (e.g.: system CAs are loaded by default).

As of 2.32.2, the system CAs are no longer loaded by default, and the commented context.load_default_certs() lines need to be included too.

Expected Result

Above snippet should work; system CAs should be loaded.

Actual Result

Above snippet fails with:

requests.exceptions.SSLError: HTTPSConnectionPool(host='servicios1.afip.gov.ar', port=443): Max retries exceeded with url: /wsfev1/service.asmx?WSDL (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)

System Information

$ python -m requests.help

{
  "chardet": {
    "version": null
  },
  "charset_normalizer": {
    "version": "3.3.2"
  },
  "cryptography": {
    "version": "39.0.2"
  },
  "idna": {
    "version": "3.7"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.12.3"
  },
  "platform": {
    "release": "6.9.3-0-edge",
    "system": "Linux"
  },
  "pyOpenSSL": {
    "openssl_version": "30000080",
    "version": "23.2.0"
  },
  "requests": {
    "version": "2.32.3"
  },
  "system_ssl": {
    "version": "30300000"
  },
  "urllib3": {
    "version": "2.2.1"
  },
  "using_charset_normalizer": true,
  "using_pyopenssl": true
}

Further context

#6710 (comment)

[nateprewitt]

Hi @WhyNotHugo, I think this is a duplicate of #6730 which was opened after your original comment. We'll track progress there.

[WhyNotHugo]

Sorry, forgot to double-check.

[alesisjoan]

@WhyNotHugo did you solve it ? I'm struggling with the same

urllib3 = "^1.26.14"
fintech = "^7.5.1"
pyopenssl = "^22.0.0"
cryptography = "^35.0.0"

since I updated cryptography

[WhyNotHugo]

@alesisjoan Either use dependency "requests!=2.32.0,!=2.32.1,!=2.32.2", or explicitly load default certs: https://github.com/WhyNotHugo/django-afip/blob/8ea6dbd79d9cfe52409d9bbf3d61069ea8efbdb0/django_afip/clients.py#L44-L57

[alesisjoan]

Hi Hugo! Yep, it was something with requests library. In my case it was using 2.32 so I force a downgrade to 2.25.1 Muchas gracias! El mié., 3 de julio de 2024 12:09, Hugo ***@***.***> escribió:

…

@alesisjoan <https://github.com/alesisjoan> Either use dependency "requests!=2.32.0,!=2.32.1,!=2.32.2", or explicitly load default certs: https://github.com/WhyNotHugo/django-afip/blob/8ea6dbd79d9cfe52409d9bbf3d61069ea8efbdb0/django_afip/clients.py#L44-L57 — Reply to this email directly, view it on GitHub <#6736 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABFXOPDLYUMY5EZOR2NEJSDZKQH2JAVCNFSM6AAAAABI6OTL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBWGQ3TGNZZG4> . You are receiving this because you were mentioned.Message ID: ***@***.***>