feat(transport): Use env vars for default CA cert bundle location

Many libraries use the SSL_CERT_FILE environment variable to point at a CA bundle to use for HTTPS certificate verification. This is often used in corporate environments with internal CAs or HTTPS hijacking proxies, where the Sentry server presents a certificate not signed by one of the CAs bundled with Certifi. Additionally, Requests, Python's most popular HTTP client library, uses the REQUESTS_CA_BUNDLE variable instead. Use the SSL_CERT_FILE or REQUESTS_CA_BUNDLE vars if present to set the default CA bundle.
getsentry · Jun 12, 2024 · 2765e42 · 2765e42
1 parent 1497916
commit 2765e42
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/sentry_sdk/transport.py b/sentry_sdk/transport.py
@@ -1,5 +1,6 @@
 from abc import ABC, abstractmethod
 import io
+import os
 import gzip
 import socket
 import time
@@ -457,7 +458,6 @@ def _get_pool_options(self, ca_certs):
         options = {
             "num_pools": self._num_pools,
             "cert_reqs": "CERT_REQUIRED",
-            "ca_certs": ca_certs or certifi.where(),
         }
 
         socket_options = None  # type: Optional[List[Tuple[int, int, int | bytes]]]
@@ -477,6 +477,13 @@ def _get_pool_options(self, ca_certs):
         if socket_options is not None:
             options["socket_options"] = socket_options
 
+        options["ca_certs"] = (
+            ca_certs  # User-provided bundle from the SDK init
+            or os.environ.get("SSL_CERT_FILE")
+            or os.environ.get("REQUESTS_CA_BUNDLE")
+            or certifi.where()
+        )
+
         return options
 
     def _in_no_proxy(self, parsed_dsn):