SSLContext not working in macos with requests library

[jmoraleda]

I am working on a framework so I am trying to use SSLContext instead of inject_into_ssl per the documentation and the user guide.

I am using requests. I have found instructions on how to inject SSLContext into requests at https://stackoverflow.com/a/78265028. In particular the code snippet:

import truststore
import requests
import ssl
from requests.adapters import HTTPAdapter

class TruststoreAdapter(HTTPAdapter):
    def init_poolmanager(self, connections, maxsize, block=False):
        ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
        return super().init_poolmanager(connections, maxsize, block, ssl_context=ctx)

s = requests.Session()
s.mount("https://", TruststoreAdapter())
r = s.get("https://localhost:4443/", verify=True)
print(r) # 200 OK

This code works well in Linux and Windows. But on Mac I get the error:

Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 464, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 1093, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.11/site-packages/urllib3/connection.py", line 741, in connect
    sock_and_verified = _ssl_wrap_socket_and_match_hostname(
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/connection.py", line 920, in _ssl_wrap_socket_and_match_hostname
    ssl_sock = ssl_wrap_socket(
               ^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/util/ssl_.py", line 460, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/util/ssl_.py", line 504, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/[email protected]/3.11.6_1/Frameworks/Python.framework/Versions/3.11/lib/python3.11/ssl.py", line 517, in wrap_socket
    return self.sslsocket_class._create(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/[email protected]/3.11.6_1/Frameworks/Python.framework/Versions/3.11/lib/python3.11/ssl.py", line 1108, in _create
    self.do_handshake()
  File "/usr/local/Cellar/[email protected]/3.11.6_1/Frameworks/Python.framework/Versions/3.11/lib/python3.11/ssl.py", line 1379, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)

I am certain my custom root certificate is properly installed in Mac, because if I use inject_into_ssl instead of SSLContext:

import truststore
import requests

truststore.inject_into_ssl()

s = requests.Session()
r = s.get("https://localhost:4443/", verify=True)
print(r) # 200 OK

then everything works.

[achapkowski]

What version of requests are you using?

[jmoraleda]

What version of requests are you using?

2.32.3

[sethmlarson]

@jmoraleda Are you able to test the patch in #164 to confirm that fixes your issue? Thanks for using the library.

[jmoraleda]

Thank you @sethmlarson. I just tested #164 and it does not fix this issue.

But I do not find this result surprising, since #164 patches inject_into_ssl, which was already working for me. My problem is when trying to inject SSLContext into requests. (Please see description above for details)