Skip to content

fix: use certifi ssl context on Windows #7778

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Soulter merged 3 commits into from
Apr 25, 2026
+8 −7
Merged

fix: use certifi ssl context on Windows #7778

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7a4008b
fix: use certifi ssl context on Windows
lingyun14beta Apr 24, 2026
728d784
docs: update docstring to reflect hybrid SSL context
lingyun14beta Apr 24, 2026
88e0220
chore: ruff
Soulter Apr 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 8 additions & 7 deletions astrbot/core/utils/network_utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,9 @@
import httpx

from astrbot import logger
from astrbot.utils.http_ssl_common import build_ssl_context_with_certifi

_SYSTEM_SSL_CTX = ssl.create_default_context()
_SYSTEM_SSL_CTX = build_ssl_context_with_certifi()
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The change to _SYSTEM_SSL_CTX makes the docstring for create_proxy_client (specifically lines 96-98 and 111) incorrect, as it explicitly states that it "avoids certifi" and uses only the "system SSL context". Please update the docstring to reflect that a hybrid context (system + certifi) is now used.

Additionally, per the general rules, this change to the core SSL context should be accompanied by unit tests to ensure connectivity remains stable across different environments (e.g., with custom CAs or proxies).

You might also consider passing the local logger to build_ssl_context_with_certifi for better log attribution.

Suggested change
_SYSTEM_SSL_CTX = build_ssl_context_with_certifi()
_SYSTEM_SSL_CTX = build_ssl_context_with_certifi(logger)
References
  1. New functionality, such as handling attachments, should be accompanied by corresponding unit tests.



def is_connection_error(exc: BaseException) -> bool:
Expand Down Expand Up @@ -92,9 +93,9 @@ def create_proxy_client(
) -> httpx.AsyncClient:
"""Create an httpx AsyncClient with proxy configuration if provided.

Uses the system SSL certificate store instead of certifi, which avoids
SSL verification failures for endpoints whose CA chain is not in certifi
but is trusted by the operating system.
Uses a hybrid SSL context that combines the system SSL certificate store
with certifi as a fallback, ensuring compatibility across different
environments including Windows where the system store may be incomplete.

Note: The caller is responsible for closing the client when done.
Consider using the client as a context manager or calling aclose() explicitly.
Expand All @@ -103,11 +104,11 @@ def create_proxy_client(
provider_label: The provider name for log prefix (e.g., "OpenAI", "Gemini")
proxy: The proxy address (e.g., "http://127.0.0.1:7890"), or None/empty
headers: Optional custom headers to include in every request
verify: Optional override for TLS verification. Defaults to the shared
system SSL context when not provided.
verify: Optional override for TLS verification. Defaults to the hybrid
SSL context (system store + certifi) when not provided.

Returns:
An httpx.AsyncClient created with the shared system SSL context; the proxy is applied only if one is provided.
An httpx.AsyncClient created with the hybrid SSL context (system store + certifi); the proxy is applied only if one is provided.
"""
resolved_verify = _SYSTEM_SSL_CTX if verify is None else verify
if proxy:
Expand Down
Loading