authlib icon indicating copy to clipboard operation
authlib copied to clipboard
verified publisher icon lepture

Self-Signed Certificate instructions needs an update

Open RafalSkolasinski opened this issue 3 years ago • 4 comments

Documented way of dealing with self signed certificates by setting CURL_CA_BUNDLE="" env variable will not work with requests from version 2.28.0 onward due to

Fixed bug where setting CURL_CA_BUNDLE to an empty string would disable cert verification. All Requests 2.x versions before 2.28.0 are affected. (#6074)

PR https://github.com/psf/requests/pull/6074 that addresses https://github.com/psf/requests/issues/6071 effectively disables this workaround.

RafalSkolasinski avatar Jul 25 '22 13:07 RafalSkolasinski

Hi @RafalSkolasinski, a PR for the documentation is welcome.

lepture avatar Dec 06 '22 07:12 lepture

@lepture It's a bit more than just a documentation update, as the feature advertised does not work anymore, and there is no way to make it work as described. The proper solution would be to add support for passing parameters to requests, but I'm not sure if that's wished, as it can lead to insecure setups. In the meantime, the chapter from the doc should be removed. Should I submit a fix for that ?

benallard avatar Feb 08 '24 11:02 benallard

I'm not sure if that's wished, as it can lead to insecure setups

That's why the flag is called insecure ;)

I forgot about this issue but may think about contributing PR to expose it

RafalSkolasinski avatar Feb 08 '24 13:02 RafalSkolasinski

FYI, I got around the problem by installing pip-system-certs (Really, just adding it to my env, no modifications to my sourcecode).

benallard avatar Feb 09 '24 08:02 benallard