aiohttp and zero trust ssl verification issue

[tjbaker]

When one uses zero trust solutions like ZScaler or Netskope they act like a proxy and inject their own ssl certificate. This often results in ssl cert verification errors like

An error occurred: HTTPSConnectionPool(host='xxx.xxx.xxx', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1018)')))

The python requests library allows one to set an env variable for REQUESTS_CA_BUNDLE which it will load. You import the security vendor's root cert into certifi and point to it's truststore and the ssl verification succeeds.

I found a long bug thread for aiohttp discussing this, and they suggest ways to construct the sslContext for users of aiohttp to address this same concern without using ENV variables.

aio-libs/aiohttp#3180

The problem is that one can't do this when aiohttp is used in some other project...in this case the okta client.

I am unable to use the okta client and have to rewrite everything using the requests library...which I have working.

Is there a way to configure the okta client to be aware of custom certs and pass them to aiohttp appropriately?

[tjbaker]

I will attempt this
https://github.com/okta/okta-sdk-python/tree/master?tab=readme-ov-file#other-configuration-options