Use a default SSLContext with the default CA bundle loaded when `veri…

…fy=True`
psf · nateprewitt · May 15, 2024 · Mar 20, 2024 · Mar 21, 2024 · May 7, 2024
commit 8f954567bdfb7fa2bd638b7021b0a156e3f71787
diff --git a/src/requests/adapters.py b/src/requests/adapters.py
@@ -26,6 +26,7 @@
 from urllib3.util import Timeout as TimeoutSauce
 from urllib3.util import parse_url
 from urllib3.util.retry import Retry
+from urllib3.util.ssl_ import create_urllib3_context
 
 from .auth import _basic_auth_str
 from .compat import basestring, urlparse
@@ -70,6 +71,8 @@ def SOCKSProxyManager(*args, **kwargs):
 DEFAULT_POOLSIZE = 10
 DEFAULT_RETRIES = 0
 DEFAULT_POOL_TIMEOUT = None
+DEFAULT_SSL_CONTEXT = create_urllib3_context()
+DEFAULT_SSL_CONTEXT.load_verify_locations(extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH))
 
 
 def _urllib3_request_context(
@@ -85,8 +88,13 @@ def _urllib3_request_context(
     cert_reqs = "CERT_REQUIRED"
     if verify is False:
         cert_reqs = "CERT_NONE"
-    if isinstance(verify, str):
-        pool_kwargs["ca_certs"] = verify
+    elif verify is True:
+        pool_kwargs["ssl_context"] = DEFAULT_SSL_CONTEXT
+    elif isinstance(verify, str):
+        if not os.path.isdir(verify):
+            pool_kwargs["ca_certs"] = verify
+        else:
+            pool_kwargs["ca_cert_dir"] = verify
     pool_kwargs["cert_reqs"] = cert_reqs
     if client_cert is not None:
         if isinstance(client_cert, tuple) and len(client_cert) == 2: