Skip to content

create_ssl_context: raise when verify is a str and cert is provided #990

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Kludex merged 8 commits into from
Jun 1, 2026
Merged

create_ssl_context: raise when verify is a str and cert is provided #990

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
d8c4b30
create_ssl_context: Don't skip ctx.load_cert_chain call when verify i…
scollinson Dec 4, 2025
e8a93b3
Add regression test for create_ssl_context verify=str with cert
mbeijen May 25, 2026
f5aa1c1
Place pragma on the uncovered ssl context branches
Kludex May 25, 2026
ce761fc
create_ssl_context: raise on `verify=<str>` combined with `cert=...`
mbeijen May 25, 2026
442d975
Merge remote-tracking branch 'origin/main' into ssl-context-tuple
Kludex Jun 1, 2026
53227ca
Merge remote-tracking branch 'mbeijen/ssl-context-tuple' into ssl-con…
Kludex Jun 1, 2026
25de33e
Return directly in verify=str branch instead of reassigning ctx
Kludex Jun 1, 2026
a75b1cd
Exclude deprecated cert branch from coverage
Kludex Jun 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions src/httpx2/httpx2/_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,14 +42,20 @@ def create_ssl_context(
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
elif isinstance(verify, str): # pragma: no cover
elif isinstance(verify, str):
if cert:
raise TypeError(
"`verify=<str>` cannot be combined with `cert=...`. "
"Build an `ssl.SSLContext` and pass it as `verify=<ctx>`, "
"using `.load_cert_chain()` to configure the certificate chain."
)
message = (
"`verify=<str>` is deprecated. "
"Use `verify=ssl.create_default_context(cafile=...)` "
"or `verify=ssl.create_default_context(capath=...)` instead."
)
warnings.warn(message, DeprecationWarning)
if os.path.isdir(verify):
if os.path.isdir(verify): # pragma: no cover
return ssl.create_default_context(capath=verify)
return ssl.create_default_context(cafile=verify)
else:
Expand Down
11 changes: 11 additions & 0 deletions tests/httpx2/test_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,17 @@ def test_load_ssl_config_no_verify() -> None:
assert context.check_hostname is False


def test_create_ssl_context_verify_str(cert_pem_file: str) -> None:
with pytest.warns(DeprecationWarning, match="`verify=<str>` is deprecated"):
context = httpx2.create_ssl_context(verify=cert_pem_file)
assert context.verify_mode == ssl.VerifyMode.CERT_REQUIRED


def test_create_ssl_context_verify_str_with_cert_raises(cert_pem_file: str, cert_private_key_file: str) -> None:
with pytest.raises(TypeError, match="cannot be combined with `cert=...`"):
httpx2.create_ssl_context(verify=cert_pem_file, cert=(cert_pem_file, cert_private_key_file))


def test_SSLContext_with_get_request(server: TestServer, cert_pem_file: str) -> None:
context = httpx2.create_ssl_context()
context.load_verify_locations(cert_pem_file)
Expand Down
Loading