From 9a086209175d2e1614853d9c70593fb9299ed1fb Mon Sep 17 00:00:00 2001
From: tboy1337 <tboy1337@proton.me>
Date: Wed, 29 Oct 2025 21:24:18 +0000
Subject: [PATCH 1/2] Enhance SSL verification handling in Session class to
 respect precedence of verify settings. Added tests to validate behavior for
 various combinations of session and method verify parameters, ensuring
 correct application of environment variables and session settings.

---
 src/requests/sessions.py |  5 ++-
 tests/test_requests.py   | 85 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 89 insertions(+), 1 deletion(-)

diff --git a/src/requests/sessions.py b/src/requests/sessions.py
index 731550de88..b1f7bb5f9c 100644
--- a/src/requests/sessions.py
+++ b/src/requests/sessions.py
@@ -763,7 +763,10 @@ def merge_environment_settings(self, url, proxies, stream, verify, cert):
 
             # Look for requests environment configuration
             # and be compatible with cURL.
-            if verify is True or verify is None:
+            # Determine the effective verify setting (method param > session)
+            # to respect proper precedence order before applying environment variables
+            effective_verify = verify if verify is not None else self.verify
+            if effective_verify is True or effective_verify is None:
                 verify = (
                     os.environ.get("REQUESTS_CA_BUNDLE")
                     or os.environ.get("CURL_CA_BUNDLE")
diff --git a/tests/test_requests.py b/tests/test_requests.py
index 75d2deff2e..77f3f1178a 100644
--- a/tests/test_requests.py
+++ b/tests/test_requests.py
@@ -966,6 +966,91 @@ def test_invalid_ca_certificate_path(self, httpbin_secure):
             INVALID_PATH
         )
 
+    def test_verify_precedence_session_true_method_true(self, httpbin_secure):
+        """session.verify=True, method verify=True: should use env var and fail"""
+        INVALID_PATH = "/garbage"
+        with override_environ(requests_ca_bundle=INVALID_PATH):
+            session = requests.Session()
+            session.verify = True
+            with pytest.raises(IOError) as e:
+                session.get(httpbin_secure(), verify=True)
+            assert "Could not find a suitable TLS CA certificate bundle" in str(e.value)
+
+    def test_verify_precedence_session_true_method_none(self, httpbin_secure):
+        """session.verify=True, method verify=None: should use env var and fail"""
+        INVALID_PATH = "/garbage"
+        with override_environ(requests_ca_bundle=INVALID_PATH):
+            session = requests.Session()
+            session.verify = True
+            with pytest.raises(IOError) as e:
+                session.get(httpbin_secure())
+            assert "Could not find a suitable TLS CA certificate bundle" in str(e.value)
+
+    def test_verify_precedence_session_true_method_false(self, httpbin_secure):
+        """session.verify=True, method verify=False: method override, should succeed"""
+        INVALID_PATH = "/garbage"
+        with override_environ(requests_ca_bundle=INVALID_PATH):
+            session = requests.Session()
+            session.verify = True
+            # Should succeed - method parameter overrides session
+            session.get(httpbin_secure(), verify=False)
+
+    def test_verify_precedence_session_none_method_true(self, httpbin_secure):
+        """session.verify=None, method verify=True: should use env var and fail"""
+        INVALID_PATH = "/garbage"
+        with override_environ(requests_ca_bundle=INVALID_PATH):
+            session = requests.Session()
+            # session.verify defaults to None
+            with pytest.raises(IOError) as e:
+                session.get(httpbin_secure(), verify=True)
+            assert "Could not find a suitable TLS CA certificate bundle" in str(e.value)
+
+    def test_verify_precedence_session_none_method_none(self, httpbin_secure):
+        """session.verify=None, method verify=None: should use env var and fail"""
+        INVALID_PATH = "/garbage"
+        with override_environ(requests_ca_bundle=INVALID_PATH):
+            session = requests.Session()
+            # Both default to None
+            with pytest.raises(IOError) as e:
+                session.get(httpbin_secure())
+            assert "Could not find a suitable TLS CA certificate bundle" in str(e.value)
+
+    def test_verify_precedence_session_none_method_false(self, httpbin_secure):
+        """session.verify=None, method verify=False: method override, should succeed"""
+        INVALID_PATH = "/garbage"
+        with override_environ(requests_ca_bundle=INVALID_PATH):
+            session = requests.Session()
+            # Should succeed - method parameter overrides
+            session.get(httpbin_secure(), verify=False)
+
+    def test_verify_precedence_session_false_method_true(self, httpbin_secure):
+        """session.verify=False, method verify=True: method override, should use env var and fail"""
+        INVALID_PATH = "/garbage"
+        with override_environ(requests_ca_bundle=INVALID_PATH):
+            session = requests.Session()
+            session.verify = False
+            with pytest.raises(IOError) as e:
+                session.get(httpbin_secure(), verify=True)
+            assert "Could not find a suitable TLS CA certificate bundle" in str(e.value)
+
+    def test_verify_precedence_session_false_method_none(self, httpbin_secure):
+        """session.verify=False, method verify=None: session wins, should succeed (THIS IS THE BUG)"""
+        INVALID_PATH = "/garbage"
+        with override_environ(requests_ca_bundle=INVALID_PATH):
+            session = requests.Session()
+            session.verify = False
+            # Should succeed - session.verify=False should be respected
+            session.get(httpbin_secure())
+
+    def test_verify_precedence_session_false_method_false(self, httpbin_secure):
+        """session.verify=False, method verify=False: both false, should succeed"""
+        INVALID_PATH = "/garbage"
+        with override_environ(requests_ca_bundle=INVALID_PATH):
+            session = requests.Session()
+            session.verify = False
+            # Should succeed - both say False
+            session.get(httpbin_secure(), verify=False)
+
     def test_invalid_ssl_certificate_files(self, httpbin_secure):
         INVALID_PATH = "/garbage"
         with pytest.raises(IOError) as e:

From 2561d876ad888c4cbf8d353a1a83799237ac5b80 Mon Sep 17 00:00:00 2001
From: tboy1337 <tboy1337@proton.me>
Date: Wed, 29 Oct 2025 22:04:15 +0000
Subject: [PATCH 2/2] Refactor test description for SSL verification precedence
 case to clarify expected behavior without indicating a bug. This improves the
 readability and accuracy of the test documentation.

---
 tests/test_requests.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/test_requests.py b/tests/test_requests.py
index 77f3f1178a..a6c1a29bfa 100644
--- a/tests/test_requests.py
+++ b/tests/test_requests.py
@@ -1034,7 +1034,7 @@ def test_verify_precedence_session_false_method_true(self, httpbin_secure):
             assert "Could not find a suitable TLS CA certificate bundle" in str(e.value)
 
     def test_verify_precedence_session_false_method_none(self, httpbin_secure):
-        """session.verify=False, method verify=None: session wins, should succeed (THIS IS THE BUG)"""
+        """session.verify=False, method verify=None: session wins, should succeed"""
         INVALID_PATH = "/garbage"
         with override_environ(requests_ca_bundle=INVALID_PATH):
             session = requests.Session()