Add global SSL/TLS configuration options via environment variable

[azachar]

Hello,

I would like to request a feature to allow setting SSL/TLS options globally in the requests library via an environment variable or a configuration file. Currently, while the requests library has the ability to set the correct version of TLS, it's not possible to change it globally via environment variable.

This feature is important for users who need to configure SSL/TLS options for their entire environment, rather than on a per-application basis. This would help avoid issues caused by outdated or unsupported SSL/TLS protocols and provide users with more flexibility in configuring their SSL/TLS settings.

This issue was recently highlighted in a feature request for pip (https://github.com/pypa/pip/issues/11896), which attempted to add a command-line option to disable unsafe legacy renegotiation and enforce the use of TLS 1.3. However, this option was deemed better suited for the requests library.

Therefore, I would like to propose adding a means to set SSL/TLS options globally in the requests library, for example via an environment variable.

Thank you for your attention to this matter, and please let me know if you have any questions or feedback.

Best regards, Andrej Zachar

[sigmavirus24]

As was clearly laid out in that issue, this library is in feature freeze.

Further, environment variables supported by this library already, intended to be used to give customers a way to improve their security posture have instead created vulnerabilities that are near impossible to completely remediate. Additional environment variables - especially ones that affect TLS connections - that may affect everything running with those settings are yet another attack venue. So beyond being something we wouldn't do due to the feature freeze, it's also something I wouldn't ever support because of the impact it could have on many users' security posture without them understanding it's severity.