Summary

SSL certificate verification fails when making HTTPS requests using RustPython's requests library, even with proper certificate handling through certifi. This prevents secure HTTPS connections in RustPython applications.

Expected

The following code should successfully make an HTTPS request with proper SSL certificate verification:

import requests
from certifi import where

session = requests.Session()
session.verify = where()
response = session.get('https://openlibrary.org/api/books?bibkeys=ISBN:9780618640157&format=json&jscmd=data')
print(response.json())

Actual

The code fails with an SSL certificate verification error:

SSLError: HTTPSConnectionPool(host='openlibrary.org', port=443): Max retries exceeded with url: /api/books?bibkeys=ISBN:9780618640157&format=json&jscmd=data (Caused by SSLError(SSLError(134, '[SSL routines] certificate verify failed (ssl.rs:1030)')))

Even with explicit SSL context configuration:

import ssl
import requests
from certifi import where

# Configure SSL context with certifi
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ssl_context.verify_mode = ssl.CERT_REQUIRED
ssl_context.load_verify_locations(cafile=where(), capath=None, cadata=None)

session = requests.Session()
session.verify = where()
response = session.get('https://openlibrary.org/api/books?bibkeys=ISBN:9780618640157&format=json&jscmd=data')

The same error persists.

Environment

• RustPython version: 0.4.0
• Operating System: Linux 20.04.1-Ubuntu
• Dependencies:
  • requests
  • certifi
  • urllib3
  • charset-normalizer

Steps to Reproduce

1. Install required packages:

#!/bin/bash
SITE_PACKAGES="python_packages/site-packages"
mkdir -p "$SITE_PACKAGES"

# Install pip and packages
curl -sSL https://bootstrap.pypa.io/get-pip.py -o get-pip.py
python3 get-pip.py --target="$SITE_PACKAGES"
python3 -m pip install --target="$SITE_PACKAGES" charset-normalizer urllib3 certifi requests

2. RustPython code:

use anyhow;
use rustpython_vm as vm;
use rustpython_stdlib;
use std::path::PathBuf;

pub async fn run() -> anyhow::Result<()> {
    let mut settings = vm::Settings::default();
    let base_path = PathBuf::from(env!("CARGO_MANIFEST_DIR"))
        .join("src")
        .join("experiments")
        .join("e5_run_python")
        .join("python_packages");

    settings.path_list.push(base_path.join("Lib").to_string_lossy().to_string());
    settings.path_list.push(base_path.join("site-packages").to_string_lossy().to_string());

    let interpreter = vm::Interpreter::with_init(settings, |vm| {
        vm.add_native_modules(rustpython_stdlib::get_module_inits());
    });

    // ... Python code execution
}

Python Documentation

According to Python's SSL documentation:

1. ssl.SSLContext should handle certificate verification:

   context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
   context.verify_mode = ssl.CERT_REQUIRED
   context.load_verify_locations(cafile=certifi.where())

2. The requests library should automatically handle SSL verification when verify=True or when provided with a certificate path:

   session = requests.Session()
   session.verify = certifi.where()

Related Issues

• RustPython Issue #3148