fix(ssl): replace verify=True with ssl.create_default_context() for corporate CA support

Core fix: all httpx.AsyncClient instances now use ssl.create_default_context()
instead of bool verify=True, which uses certifi and ignores system CA store.
This makes corporate CA certificates installed via update-ca-certificates
visible to Python HTTP clients.

Files:
- async_network.py: AsyncAPIClient.__init__ converts True→SSLContext
- client_registry.py: get_client converts bool→SSLContext before passing
- notifications/providers.py: _get_http_client uses ssl.create_default_context()
- services/git/_base.py: GitServiceBase uses ssl.create_default_context()
- translate/_llm_async_http.py: _get_verify returns SSLContext (not string)

Test: new integration test with 3-tier PKI (Root→Intermediate→Server),
TLS-protected Superset container, and custom CA installation via
update-ca-certificates or SSL_CERT_DIR fallback.
- conftest.py: added ca_chain, install_custom_ca, superset_tls_env fixtures;
  parameterized superset_container for TLS mode
- test_superset_tls_custom_ca.py: 8 tests (openssl -CApath, -CAfile certifi,
  httpx capath, httpx certifi, AsyncAPIClient, SupersetClient, fingerprint, verify=False)
This commit is contained in:
2026-06-15 10:20:43 +03:00
parent af923972b6
commit 27a20cbbeb
7 changed files with 603 additions and 31 deletions

View File

@@ -18,6 +18,7 @@ import asyncio
import io
import json
from pathlib import Path
import ssl
from typing import Any
import httpx
@@ -59,23 +60,32 @@ class AsyncAPIClient:
# @DATA_CONTRACT Input[config: Dict[str, Any]] -> self._auth_cache_key[str]
# @RELATION CALLS -> [AsyncAPIClient._normalize_base_url]
# @RELATION DEPENDS_ON -> [SupersetAuthCache]
def __init__(self, config: dict[str, Any], verify_ssl: bool = True, timeout: int = DEFAULT_TIMEOUT,
def __init__(self, config: dict[str, Any], verify_ssl: bool | ssl.SSLContext = True, timeout: int = DEFAULT_TIMEOUT,
semaphore: asyncio.Semaphore | None = None):
self.base_url: str = self._normalize_base_url(config.get("base_url", ""))
self.api_base_url: str = f"{self.base_url}/api/v1"
self.auth = config.get("auth")
self.request_settings = {"verify_ssl": verify_ssl, "timeout": timeout}
# Use system CA store via ssl.create_default_context() instead of bool True.
# httpx defaults to certifi, ignoring SSL_CERT_FILE and corporate CA certs.
if verify_ssl is True:
ssl_context: bool | ssl.SSLContext = ssl.create_default_context()
elif verify_ssl is False:
ssl_context = False
else:
ssl_context = verify_ssl # уже SSLContext
self._client = httpx.AsyncClient(
verify=verify_ssl,
verify=ssl_context,
timeout=httpx.Timeout(timeout),
follow_redirects=True,
)
self._tokens: dict[str, str] = {}
self._authenticated = False
# Cache key по-прежнему использует bool для хеширования
self._auth_cache_key = SupersetAuthCache.build_key(
self.base_url,
self.auth,
verify_ssl,
verify_ssl if isinstance(verify_ssl, bool) else True,
)
# Optional shared semaphore for connection limiting (set by SupersetClientRegistry).
self._semaphore = semaphore

View File

@@ -19,6 +19,7 @@
# shows callers create SupersetClient anyway, defeating the purpose.
import asyncio
import ssl
from typing import Any
from ..logger import logger
@@ -47,6 +48,7 @@ def _build_env_id(env: Any) -> str:
if isinstance(env, dict):
return f"{env.get('base_url','')}|{env.get('username','')}"
return str(id(env))
# #endregion _build_env_id
# #region get_client [C:3] [TYPE Function]
@@ -97,9 +99,15 @@ async def get_client(
config = {}
verify_ssl = True
timeout = request_timeout
# Convert bool to SSLContext with system CA store — httpx defaults to certifi,
# ignoring corporate CA certificates installed via update-ca-certificates.
if verify_ssl is True:
ssl_context: bool | ssl.SSLContext = ssl.create_default_context()
else:
ssl_context = verify_ssl
async_client = AsyncAPIClient(
config=config,
verify_ssl=verify_ssl,
verify_ssl=ssl_context,
timeout=timeout,
)
semaphore = asyncio.Semaphore(connection_pool_size)

View File

@@ -16,6 +16,7 @@
import asyncio
import os
import ssl
from typing import Any
import httpx
@@ -31,19 +32,22 @@ DEFAULT_MAX_TOKENS: int = 8192
# #region _get_verify [C:1] [TYPE Function] [SEMANTICS translate, ssl, verify]
# @BRIEF Resolve SSL verification path from LLM_SSL_VERIFY env var.
# @RATIONALE Используем capath=/etc/ssl/certs/ вместо cafile, потому что
# OpenSSL 3.x не использует intermediate CA сертификаты из cafile для
# построения цепочки (verify code 20). capath с хеш-симлинками работает
# корректно (verify code 0).
# @BRIEF Resolve SSL verification context from LLM_SSL_VERIFY env var.
# @RATIONALE Используем capath=/etc/ssl/certs/ через ssl.create_default_context,
# потому что OpenSSL 3.x не использует intermediate CA сертификаты из cafile
# для построения цепочки (verify code 20). capath с хеш-симлинками работает
# корректно (verify code 0). Возвращаем SSLContext вместо строки — httpx 0.28.x
# депрекейтит строковый путь в verify=.
# @REJECTED cafile отвергнут — OpenSSL 3.x не использует intermediate CA
# из единого bundle-файла. Только capath с хеш-симлинками даёт code 0.
# @POST Returns path to /etc/ssl/certs/ when enabled, False when disabled.
def _get_verify() -> str | bool:
# @REJECTED Строковый путь "/etc/ssl/certs/" отвергнут — httpx 0.28.x депрекейтит
# строки в verify=, требует SSLContext.
# @POST Returns ssl.SSLContext with capath when enabled, False when disabled.
def _get_verify() -> ssl.SSLContext | bool:
raw = os.getenv("LLM_SSL_VERIFY", "true").strip().lower()
if raw in ("false", "0", "no", "off"):
return False
return "/etc/ssl/certs/"
return ssl.create_default_context(capath="/etc/ssl/certs/")
# #endregion _get_verify

View File

@@ -14,6 +14,7 @@ import os
from pathlib import Path
import re
import shutil
import ssl
import threading
from urllib.parse import quote
@@ -56,8 +57,11 @@ class GitServiceBase:
self._closed = False
self._close_lock = threading.Lock()
# Fix 5: Shared httpx.AsyncClient with connection pooling
# Fix 5: Shared httpx.AsyncClient with connection pooling.
# Uses system CA store (ssl.create_default_context) instead of certifi
# to trust corporate CA certificates installed via update-ca-certificates.
self._http_client = httpx.AsyncClient(
verify=ssl.create_default_context(),
timeout=30.0,
limits=httpx.Limits(max_keepalive_connections=20, max_connections=100),
)
@@ -397,5 +401,3 @@ class GitServiceBase:
# endregion close
# #endregion GitServiceBase
# #endregion GitServiceBase
# #endregion GitServiceBase
# #endregion GitServiceBase

View File

@@ -20,6 +20,7 @@
from abc import ABC, abstractmethod
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
import ssl
from typing import Any
import aiosmtplib
@@ -32,10 +33,16 @@ _http_client: httpx.AsyncClient | None = None
async def _get_http_client() -> httpx.AsyncClient:
"""Get or create the module-level httpx.AsyncClient singleton."""
"""Get or create the module-level httpx.AsyncClient singleton.
Uses system CA store (ssl.create_default_context) instead of certifi
to trust corporate CA certificates installed via update-ca-certificates.
"""
global _http_client
if _http_client is None:
_http_client = httpx.AsyncClient(timeout=httpx.Timeout(30.0))
_http_client = httpx.AsyncClient(
verify=ssl.create_default_context(),
timeout=httpx.Timeout(30.0),
)
return _http_client