diff --git a/src/httpx2/httpx2/_config.py b/src/httpx2/httpx2/_config.py index 46a6e6ec..0e9bb7ff 100644 --- a/src/httpx2/httpx2/_config.py +++ b/src/httpx2/httpx2/_config.py @@ -42,14 +42,20 @@ def create_ssl_context( ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) ctx.check_hostname = False ctx.verify_mode = ssl.CERT_NONE - elif isinstance(verify, str): # pragma: nocover + elif isinstance(verify, str): + if cert: + raise TypeError( + "`verify=` cannot be combined with `cert=...`. " + "Build an `ssl.SSLContext` and pass it as `verify=`, " + "using `.load_cert_chain()` to configure the certificate chain." + ) message = ( "`verify=` is deprecated. " "Use `verify=ssl.create_default_context(cafile=...)` " "or `verify=ssl.create_default_context(capath=...)` instead." ) warnings.warn(message, DeprecationWarning) - if os.path.isdir(verify): + if os.path.isdir(verify): # pragma: nocover return ssl.create_default_context(capath=verify) return ssl.create_default_context(cafile=verify) else: diff --git a/tests/httpx2/test_config.py b/tests/httpx2/test_config.py index ef47844e..abf2f501 100644 --- a/tests/httpx2/test_config.py +++ b/tests/httpx2/test_config.py @@ -83,6 +83,17 @@ def test_load_ssl_config_no_verify() -> None: assert context.check_hostname is False +def test_create_ssl_context_verify_str(cert_pem_file: str) -> None: + with pytest.warns(DeprecationWarning, match="`verify=` is deprecated"): + context = httpx2.create_ssl_context(verify=cert_pem_file) + assert context.verify_mode == ssl.VerifyMode.CERT_REQUIRED + + +def test_create_ssl_context_verify_str_with_cert_raises(cert_pem_file: str, cert_private_key_file: str) -> None: + with pytest.raises(TypeError, match="cannot be combined with `cert=...`"): + httpx2.create_ssl_context(verify=cert_pem_file, cert=(cert_pem_file, cert_private_key_file)) + + def test_SSLContext_with_get_request(server: TestServer, cert_pem_file: str) -> None: context = httpx2.create_ssl_context() context.load_verify_locations(cert_pem_file)