Async or Sync Client Verify with SSLContext Failing due to cert param not set

[jiaulislam]

I'm trying to connect an API with SSL context as below. But when using the Async Client or Sync Client I have to provide cert parameter again to be able to call successfully the API if not provided getting error.

Python Version: 3.11.1
httpx Version: 0.24.1

Expected Behavior:

As the SSL Context already have the SSL configs with the Certs, I expected I don't need to pass the certs parameter value in the Async or Sync Client

Actual Behavior:

Getting Error if certs params not given with actual cert files. Error details: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1002).

Do I really have to pass the certs params again or is there any other way it can be resolved ?

API Calling Function

async def create_token(self) -> Mapping[str, Any]:
        """
        Create a token by making a POST request to the token URL.

        Returns:
            Mapping[str, Any]: A dictionary-like object containing the token information.

        Raises:
            Exception: If an error occurs during the POST request.
        """
        async with AsyncClient(
            cert=self.certs,  # here is the thing that's bugging me, I'm already giving verify param the SSLContext
            verify=self.crypto_ctx(),
            headers=self.configs.get("headers"),
        ) as client:
            try:
                response = await client.post(
                    self.configs.get(
                        "token_url",
                    ),
                    json={
                        "userName": self.crypto_ctx.username,
                        "password": self.crypto_ctx.password,
                    },
                )
                logging.debug(f"DEBUG_TRACE: response from citypay: {response.json()}")
            except Exception as e:
                raise e from e
        return response.json()

SSL Context

    def __call__(self) -> ssl.SSLContext:
        """
        Return an SSLContext object.

        Returns:
            ssl.SSLContext: The SSLContext object.

        """
        context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
        context.minimum_version = ssl.TLSVersion.TLSv1_2
        context.load_verify_locations(cafile=self.private_key, capath=self.public_key)
        context.set_ciphers("AES256-SHA256:@SECLEVEL=2")
        context.check_hostname = (
            False  # Due to bank legacy key cert host-name verification disabled
        )
        context.verify_mode = (
            ssl.CERT_NONE
        )  # Due to bank legacy key cert verification disabled
        return context

Thanks in Advance

[tomchristie]

Do I really have to pass the certs params again or is there any other way it can be resolved ?

I'd expect this too yeah.

I'm unclear from your description exactly what the behaviour is here, but it's actually a pointer to an API issue that I've had on my (internal) radar for a while...

A sharper API here would be:

response = httpx.get(..., ssl_context=...)

With a gentle migration path / requests-ish compat of:

ssl_context = httpx.SSLContext(verify=..., cert=..., trust_env=..., http2=...)
response = httpx.get(..., ssl_context=ssl_context)

There's a bit of design work that'd be needed around that, but it's just neater to not have the weird overloading of the verify=... argument. It'd also fit in more obviously with other parts of the Python ecosystem.

For instance...

# See https://truststore.readthedocs.io/en/latest/
ssl_context = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
client = httpx.Client(ssl_context=ssl_context)