From: Tom Christie <tom@tomchristie.com>
Date: Wed, 4 Dec 2024 11:29:09 +0000 (+0000)
Subject: Fix `verify=False`, `cert=...` case. (#3442)
X-Git-Tag: 0.28.1~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=89599a9541af14bcf906fc4ed58ccbdf403802ba;p=thirdparty%2Fhttpx.git

Fix `verify=False`, `cert=...` case. (#3442)
---

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 060013b0..4f1233ef 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## Dev
+
+* Fix SSL case where `verify=False` together with client side certificates.
+ 
 ## 0.28.0 (28th November, 2024)
 
 The 0.28 release includes a limited set of deprecations.
diff --git a/httpx/_config.py b/httpx/_config.py
index dbd2b46c..467a6c90 100644
--- a/httpx/_config.py
+++ b/httpx/_config.py
@@ -39,10 +39,9 @@ def create_ssl_context(
             # Default case...
             ctx = ssl.create_default_context(cafile=certifi.where())
     elif verify is False:
-        ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
-        ssl_context.check_hostname = False
-        ssl_context.verify_mode = ssl.CERT_NONE
-        return ssl_context
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+        ctx.check_hostname = False
+        ctx.verify_mode = ssl.CERT_NONE
     elif isinstance(verify, str):  # pragma: nocover
         message = (
             "`verify=<str>` is deprecated. "