Requests: REQUESTS_CA_BUNDLE overrides request.Session verify property

Created on 23 Sep 2019 · 2Comments · Source: psf/requests

When REQUESTS_CA_BUNDLE is defined, the CA certificate passed to requests.Session constructor is overridden when requests.Session.request is called.

Guilty method/lines:
https://github.com/psf/requests/blob/master/requests/sessions.py#L694-L710

Expected Result

I would expect for the priority to be:

requests.Session.request verify kwarg
requests.Session verify property
REQUESTS_CA_BUNDLE / CURL_CA_BUNDLE

Actual Result

As requests.Session.request verify kwarg was not set, it took the value from REQUESTS_CA_BUNDLE and only then requests.Session.verify was checked, but ignored, resulting in an invalid CA used (for that Session).

Related issue (in docker-py project) https://github.com/docker/docker-py/issues/2433

System Information

$ python -m requests.help

{
  "chardet": {
    "version": "3.0.4"
  },
  "cryptography": {
    "version": "2.7"
  },
  "idna": {
    "version": "2.8"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.7.4"
  },
  "platform": {
    "release": "18.6.0",
    "system": "Darwin"
  },
  "pyOpenSSL": {
    "openssl_version": "1010103f",
    "version": "19.0.0"
  },
  "requests": {
    "version": "2.22.0"
  },
  "system_ssl": {
    "version": "1000213f"
  },
  "urllib3": {
    "version": "1.25.3"
  },
  "using_pyopenssl": true
}

Source