...
}
```
+
+## SSL certificates
+
+When making a request over HTTPS, HTTPX needs to verify the identity of the requested host. To do this, it uses a bundle of SSL certificates (a.k.a. CA bundle) delivered by a trusted certificate authority (CA).
+
+### Default CA bundle
+
+By default, HTTPX uses the CA bundle provided by [Certifi](https://pypi.org/project/certifi/). This is what you want in most cases, even though some advanced situations may require you to use a different set of certificates.
+
+### Using a custom CA bundle
+
+If you'd like to use a custom CA bundle, you can use the `verify` parameter that is available on the high-level API as well as clients. For example:
+
+```python
+import httpx
+
+r = httpx.get("https://example.org", verify="path/to/client.pem")
+```
+
+### Making HTTPS requests to a local server
+
+When making requests to local servers, such as a development server running on `localhost`, you will typically be using unencrypted HTTP connections.
+
+If you do need to make HTTPS connections to a local server, for example to test an HTTPS-only service, you will need to create and use your own certificates. Here's one way to do it:
+
+1. Use [trustme-cli](https://github.com/sethmlarson/trustme-cli/) to generate a pair of server key/cert files, and a client cert file.
+1. Pass the server key/cert files when starting your local server. (This depends on the particular web server you're using. For example, [Uvicorn](https://www.uvicorn.org) provides the `--ssl-keyfile` and `--ssl-certfile` options.)
+1. Tell HTTPX to use the certificates stored in `client.pem`:
+
+```python
+>>> import httpx
+>>> r = httpx.get("https://localhost:8000", verify="/tmp/client.pem")
+>>> r
+Response <200 OK>
+```
auth: AuthTypes = None,
timeout: TimeoutTypes = None,
allow_redirects: bool = True,
- cert: CertTypes = None,
verify: VerifyTypes = True,
+ cert: CertTypes = None,
stream: bool = False,
trust_env: bool = None,
) -> Response:
* **timeout** - *(optional)* The timeout configuration to use when sending
the request.
* **allow_redirects** - *(optional)* Enables or disables HTTP redirects.
- * **cert** - *(optional)* Either a path to an SSL certificate file, or
+ * **verify** - *(optional)* SSL certificates (a.k.a CA bundle) used to
+ verify the identity of requested hosts. Either `True` (default CA bundle),
+ a path to an SSL certificate file, or `False` (disable verification).
+ * **cert** - *(optional)* An SSL certificate used by the requested host
+ to authenticate the client. Either a path to an SSL certificate file, or
two-tuple of (certificate file, key file), or a three-tuple of (certificate
file, key file, password).
- * **verify** - *(optional)* Enables or disables SSL verification.
* **trust_env** - *(optional)* Enables or disables usage of environment
variables for configuration.
* **proxies** - *(optional)* A dictionary mapping HTTP protocols to proxy
sending requests.
* **cookies** - *(optional)* Dictionary of Cookie items to include when
sending requests.
- * **verify** - *(optional)* Enables or disables SSL verification.
- * **cert** - *(optional)* Either a path to an SSL certificate file, or
+ * **verify** - *(optional)* SSL certificates (a.k.a CA bundle) used to
+ verify the identity of requested hosts. Either `True` (default CA bundle),
+ a path to an SSL certificate file, or `False` (disable verification).
+ * **cert** - *(optional)* An SSL certificate used by the requested host
+ to authenticate the client. Either a path to an SSL certificate file, or
two-tuple of (certificate file, key file), or a three-tuple of (certificate
file, key file, password).
* **http_versions** - *(optional)* A list of strings of HTTP protocol
stream: bool = False,
auth: AuthTypes = None,
allow_redirects: bool = True,
- cert: CertTypes = None,
verify: VerifyTypes = None,
+ cert: CertTypes = None,
timeout: TimeoutTypes = None,
trust_env: bool = None,
) -> Response:
* **auth** - *(optional)* An authentication class to use when sending the
request.
* **allow_redirects** - *(optional)* Enables or disables HTTP redirects.
- * **cert** - *(optional)* Either a path to an SSL certificate file, or
+ * **verify** - *(optional)* SSL certificates (a.k.a CA bundle) used to
+ verify the identity of requested hosts. Either `True` (default CA bundle),
+ a path to an SSL certificate file, or `False` (disable verification).
+ * **cert** - *(optional)* An SSL certificate used by the requested host
+ to authenticate the client. Either a path to an SSL certificate file, or
two-tuple of (certificate file, key file), or a three-tuple of (certificate
file, key file, password).
- * **verify** - *(optional)* Enables or disables SSL verification.
* **timeout** - *(optional)* The timeout configuration to use when sending
the request.
* **trust_env** - *(optional)* Enables or disables usage of environment
projects / thirdparty / httpx.git / commitdiff
