From 7a4008be5af784aa6e4cbad6c88cd2e23e171c5c Mon Sep 17 00:00:00 2001 From: lingyun14 Date: Fri, 24 Apr 2026 23:42:04 +0800 Subject: [PATCH 1/3] fix: use certifi ssl context on Windows --- astrbot/core/utils/network_utils.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/astrbot/core/utils/network_utils.py b/astrbot/core/utils/network_utils.py index 047529396e..5d96b8fd20 100644 --- a/astrbot/core/utils/network_utils.py +++ b/astrbot/core/utils/network_utils.py @@ -6,7 +6,8 @@ from astrbot import logger -_SYSTEM_SSL_CTX = ssl.create_default_context() +from astrbot.utils.http_ssl_common import build_ssl_context_with_certifi +_SYSTEM_SSL_CTX = build_ssl_context_with_certifi() def is_connection_error(exc: BaseException) -> bool: From 728d7842eab37109cf692c31f7c90af78edc457d Mon Sep 17 00:00:00 2001 From: lingyun14 Date: Sat, 25 Apr 2026 00:03:39 +0800 Subject: [PATCH 2/3] docs: update docstring to reflect hybrid SSL context --- astrbot/core/utils/network_utils.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/astrbot/core/utils/network_utils.py b/astrbot/core/utils/network_utils.py index 5d96b8fd20..731384dd9a 100644 --- a/astrbot/core/utils/network_utils.py +++ b/astrbot/core/utils/network_utils.py @@ -93,9 +93,9 @@ def create_proxy_client( ) -> httpx.AsyncClient: """Create an httpx AsyncClient with proxy configuration if provided. - Uses the system SSL certificate store instead of certifi, which avoids - SSL verification failures for endpoints whose CA chain is not in certifi - but is trusted by the operating system. + Uses a hybrid SSL context that combines the system SSL certificate store + with certifi as a fallback, ensuring compatibility across different + environments including Windows where the system store may be incomplete. Note: The caller is responsible for closing the client when done. Consider using the client as a context manager or calling aclose() explicitly. @@ -104,11 +104,11 @@ def create_proxy_client( provider_label: The provider name for log prefix (e.g., "OpenAI", "Gemini") proxy: The proxy address (e.g., "http://127.0.0.1:7890"), or None/empty headers: Optional custom headers to include in every request - verify: Optional override for TLS verification. Defaults to the shared - system SSL context when not provided. + verify: Optional override for TLS verification. Defaults to the hybrid + SSL context (system store + certifi) when not provided. Returns: - An httpx.AsyncClient created with the shared system SSL context; the proxy is applied only if one is provided. + An httpx.AsyncClient created with the hybrid SSL context (system store + certifi); the proxy is applied only if one is provided. """ resolved_verify = _SYSTEM_SSL_CTX if verify is None else verify if proxy: From 88e02207f57696a1d6e4bf9823d0474c08ceeae0 Mon Sep 17 00:00:00 2001 From: Soulter <905617992@qq.com> Date: Sat, 25 Apr 2026 16:32:46 +0800 Subject: [PATCH 3/3] chore: ruff --- astrbot/core/utils/network_utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/astrbot/core/utils/network_utils.py b/astrbot/core/utils/network_utils.py index 731384dd9a..0bf6b820e0 100644 --- a/astrbot/core/utils/network_utils.py +++ b/astrbot/core/utils/network_utils.py @@ -5,8 +5,8 @@ import httpx from astrbot import logger - from astrbot.utils.http_ssl_common import build_ssl_context_with_certifi + _SYSTEM_SSL_CTX = build_ssl_context_with_certifi()