From b36083efafec5a3c1c5864cd0b62367ddf3856ae Mon Sep 17 00:00:00 2001 From: Keshav Kini Date: Sun, 16 May 2021 20:35:24 -0700 Subject: [PATCH] Prefer NixOS/Nix default CA bundles over certifi Normally, requests gets its default CA bundle from the certifi package. On NixOS and when using Nix on non-NixOS platforms, we would rather default to using our own certificate bundles controlled by the Nix/NixOS user. This commit overrides requests.certs.where(), which previously was just aliased to certifi.where(), so that now it does the following: - When run by Nix on non-NixOS, the environment variable $NIX_SSL_CERT_FILE will point to the CA bundle we're using, so we use that. - When running on NixOS, the CA bundle we're using has the static path /etc/ssl/certs/ca-certificates.crt , so we use that. - Otherwise, we fall back to the original behavior of using certifi's CA bundle. Higher in the call stack, users of requests can also explicitly specify a CA bundle to use, which overrides all this logic. --- requests/certs.py | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/requests/certs.py b/requests/certs.py index d1a378d7..faf462b7 100644 --- a/requests/certs.py +++ b/requests/certs.py @@ -12,7 +12,23 @@ If you are packaging Requests, e.g., for a Linux distribution or a managed environment, you can change the definition of where() to return a separately packaged CA bundle. """ -from certifi import where + +import os + +import certifi + + +def where(): + nix_ssl_cert_file = os.getenv("NIX_SSL_CERT_FILE") + if nix_ssl_cert_file and os.path.exists(nix_ssl_cert_file): + return nix_ssl_cert_file + + nixos_ca_bundle = "/etc/ssl/certs/ca-certificates.crt" + if os.path.exists(nixos_ca_bundle): + return nixos_ca_bundle + + return certifi.where() + if __name__ == '__main__': print(where()) -- 2.31.1