Comment by thewisenerd

9 hours ago

thankfully more and more projects are supporting the "standard" SSL_CERT_DIR/SSL_CERT_FILE environment variables [1]

i think requests is a tricky one, as it _should_ be supporting it already based on the PR [2], but looks like it was merged in the 3.x branch and idk where that is, release-wise.

there is also native TLS on linux (idk what exactly you call it); but

    cp cert.pem /usr/local/share/ca-certificates/cert.pem && update-ca-certificates

all languages also seem to have packages around providing cert bundles which get used directly (e.g., certifi [3]), which does cause some pain

[1] https://github.com/rustls/rustls-native-certs/issues/16#issu...

[2] https://github.com/psf/requests/issues/2899

[3] https://pypi.org/project/certifi/

1 comment

thewisenerd

thewisenerd 9 hours ago

slightly related, one of the more interesting issues i've faced due to mitm tls by the $job mandated CASB (cloud-access security broker)

is when python 3.13 [1] introduced some stricter validations and the CASB issued certs were not compliant (missing AKI); which broke REQUESTS_CA_BUNDLE/SSL_CERT_FILE for us

[1] https://discuss.python.org/t/python-3-13-x-ssl-security-chan...