Support SSL_CERT_FILE for the default ca_certs location #3158
Labels
Enhancement
New feature or request
Comments
sl0thentr0py
added
Enhancement
|
@DragoonAethis yep that makes sense, please feel free to PR! |
DragoonAethis
added a commit
to DragoonAethis/sentry-python
that referenced
this issue
Jun 12, 2024
Many libraries use the SSL_CERT_FILE environment variable to point at a CA bundle to use for HTTPS certificate verification. This is often used in corporate environments with internal CAs or HTTPS hijacking proxies, where the Sentry server presents a certificate not signed by one of the CAs bundled with Certifi. Additionally, Requests, Python's most popular HTTP client library, uses the REQUESTS_CA_BUNDLE variable instead. Use the SSL_CERT_FILE or REQUESTS_CA_BUNDLE vars if present to set the default CA bundle. Fixes getsentryGH-3158
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Problem Statement
The SDK currently exposes a ca_certs variable that allows setting the certificate bundle file for HTTPS cert verification within the SDK itself (for certs presented by the Sentry server) - this is useful for corporate proxies doing HTTPS hijacking or self-hosted instances with certs issued under internal CAs. Unfortunately, this requires modifying the Sentry SDK integration to point to the required CA bundle file.
Requests uses the
REQUESTS_CA_BUNDLEenvironment variable to point at a certificate bundle with no code modification. Lots of software, including python-httpx, supports theSSL_CERT_FILEenv var to do the same thing.Solution Brainstorm
If
ca_certsis not set, the SDK could evaluateSSL_CERT_FILEand/orREQUESTS_CA_BUNDLEvariables for a CA bundle path, before falling back to Certifi (which ships an embedded Mozilla CA bundle file).I'd like to send a PR to add this, but wanted to ask if this is something you'd accept first.
The text was updated successfully, but these errors were encountered: