feat(certifi): user certifi as a fallback when system store is not present#6231
feat(certifi): user certifi as a fallback when system store is not present#6231chenghao-mou wants to merge 2 commits into
Conversation
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| def test_ssl_context_falls_back_to_certifi_without_system_store( | ||
| monkeypatch: pytest.MonkeyPatch, | ||
| ) -> None: | ||
| """When the host has no resolvable system trust store, certifi is loaded.""" | ||
| monkeypatch.delenv("SSL_CERT_FILE", raising=False) | ||
| monkeypatch.delenv("SSL_CERT_DIR", raising=False) | ||
| monkeypatch.setattr( | ||
| ssl, | ||
| "get_default_verify_paths", | ||
| lambda: ssl.DefaultVerifyPaths( | ||
| cafile="/nonexistent/cert.pem", | ||
| capath="/nonexistent/certs", | ||
| openssl_cafile_env="SSL_CERT_FILE", | ||
| openssl_cafile="/nonexistent/cert.pem", | ||
| openssl_capath_env="SSL_CERT_DIR", | ||
| openssl_capath="/nonexistent/certs", | ||
| ), | ||
| ) | ||
|
|
||
| ctx = http_context._create_ssl_context() | ||
| assert ctx.cert_store_stats()["x509"] >= _certifi_cert_count() |
There was a problem hiding this comment.
🚩 Test for certifi fallback doesn't fully isolate from system store
In test_ssl_context_falls_back_to_certifi_without_system_store, ssl.get_default_verify_paths is monkeypatched to return nonexistent paths, but the ssl.create_default_context() call inside _create_ssl_context() (line 31 of http_context.py) still uses OpenSSL's compiled-in SSL_CTX_set_default_verify_paths at the C level, which is NOT affected by the Python-level monkeypatch. On a host WITH a system store, the context will contain system certs + certifi, making the >= assertion at line 111 pass for the wrong reason (system certs alone might already satisfy it). The test doesn't truly verify the certifi-only fallback path on hosts that have a system store.
Was this helpful? React with 👍 or 👎 to provide feedback.
1 participant
LLM client uses httpx, which falls back to certifi's CA bundle, while STT/TTS plugins go through a shared aiohttp session that relied solely on the host's system trust store. On hosts without a resolvable system store (minimal containers, distroless images missing ca-certificates), aiohttp-based TLS would fail while the LLM client kept working.
The shared TCPConnector now builds its SSL context to: (1) honor
SSL_CERT_FILE/SSL_CERT_DIRenv overrides, (2) prefer the system trust store, and (3) fall back to certifi only when no system store is resolvable on disk. This gives consistent TLS trust roots across LLM, STT, and TTS without overriding custom system CAs when a store is present.