Skip to content

Fix SSL verification precedence: Respect session.verify when method verify parameter is None #7075

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
+89 −1
Open

Fix SSL verification precedence: Respect session.verify when method verify parameter is None #7075

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9a08620
Enhance SSL verification handling in Session class to respect precede…
tboy1337 Oct 29, 2025
2561d87
Refactor test description for SSL verification precedence case to cla…
tboy1337 Oct 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion src/requests/sessions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -763,7 +763,10 @@ def merge_environment_settings(self, url, proxies, stream, verify, cert):

# Look for requests environment configuration
# and be compatible with cURL.
if verify is True or verify is None:
# Determine the effective verify setting (method param > session)
# to respect proper precedence order before applying environment variables
effective_verify = verify if verify is not None else self.verify
if effective_verify is True or effective_verify is None:
verify = (
os.environ.get("REQUESTS_CA_BUNDLE")
or os.environ.get("CURL_CA_BUNDLE")
Expand Down
85 changes: 85 additions & 0 deletions tests/test_requests.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -966,6 +966,91 @@ def test_invalid_ca_certificate_path(self, httpbin_secure):
INVALID_PATH
)

def test_verify_precedence_session_true_method_true(self, httpbin_secure):
"""session.verify=True, method verify=True: should use env var and fail"""
INVALID_PATH = "/garbage"
with override_environ(requests_ca_bundle=INVALID_PATH):
session = requests.Session()
session.verify = True
with pytest.raises(IOError) as e:
session.get(httpbin_secure(), verify=True)
assert "Could not find a suitable TLS CA certificate bundle" in str(e.value)

def test_verify_precedence_session_true_method_none(self, httpbin_secure):
"""session.verify=True, method verify=None: should use env var and fail"""
INVALID_PATH = "/garbage"
with override_environ(requests_ca_bundle=INVALID_PATH):
session = requests.Session()
session.verify = True
with pytest.raises(IOError) as e:
session.get(httpbin_secure())
assert "Could not find a suitable TLS CA certificate bundle" in str(e.value)

def test_verify_precedence_session_true_method_false(self, httpbin_secure):
"""session.verify=True, method verify=False: method override, should succeed"""
INVALID_PATH = "/garbage"
with override_environ(requests_ca_bundle=INVALID_PATH):
session = requests.Session()
session.verify = True
# Should succeed - method parameter overrides session
session.get(httpbin_secure(), verify=False)

def test_verify_precedence_session_none_method_true(self, httpbin_secure):
"""session.verify=None, method verify=True: should use env var and fail"""
INVALID_PATH = "/garbage"
with override_environ(requests_ca_bundle=INVALID_PATH):
session = requests.Session()
# session.verify defaults to None
with pytest.raises(IOError) as e:
session.get(httpbin_secure(), verify=True)
assert "Could not find a suitable TLS CA certificate bundle" in str(e.value)

def test_verify_precedence_session_none_method_none(self, httpbin_secure):
"""session.verify=None, method verify=None: should use env var and fail"""
INVALID_PATH = "/garbage"
with override_environ(requests_ca_bundle=INVALID_PATH):
session = requests.Session()
# Both default to None
with pytest.raises(IOError) as e:
session.get(httpbin_secure())
assert "Could not find a suitable TLS CA certificate bundle" in str(e.value)

def test_verify_precedence_session_none_method_false(self, httpbin_secure):
"""session.verify=None, method verify=False: method override, should succeed"""
INVALID_PATH = "/garbage"
with override_environ(requests_ca_bundle=INVALID_PATH):
session = requests.Session()
# Should succeed - method parameter overrides
session.get(httpbin_secure(), verify=False)

def test_verify_precedence_session_false_method_true(self, httpbin_secure):
"""session.verify=False, method verify=True: method override, should use env var and fail"""
INVALID_PATH = "/garbage"
with override_environ(requests_ca_bundle=INVALID_PATH):
session = requests.Session()
session.verify = False
with pytest.raises(IOError) as e:
session.get(httpbin_secure(), verify=True)
assert "Could not find a suitable TLS CA certificate bundle" in str(e.value)

def test_verify_precedence_session_false_method_none(self, httpbin_secure):
"""session.verify=False, method verify=None: session wins, should succeed"""
INVALID_PATH = "/garbage"
with override_environ(requests_ca_bundle=INVALID_PATH):
session = requests.Session()
session.verify = False
# Should succeed - session.verify=False should be respected
session.get(httpbin_secure())

def test_verify_precedence_session_false_method_false(self, httpbin_secure):
"""session.verify=False, method verify=False: both false, should succeed"""
INVALID_PATH = "/garbage"
with override_environ(requests_ca_bundle=INVALID_PATH):
session = requests.Session()
session.verify = False
# Should succeed - both say False
session.get(httpbin_secure(), verify=False)

def test_invalid_ssl_certificate_files(self, httpbin_secure):
INVALID_PATH = "/garbage"
with pytest.raises(IOError) as e:
Expand Down