Merge pull request #19 from hmbmirzaei/fix/macos-certifi-ca-bundle

fix: load certifi CA bundle for outbound TLS contexts

src/domain_fronter.py

@@ -20,6 +20,11 @@ import time
 from dataclasses import dataclass
 from urllib.parse import urlparse
 
+try:
+    import certifi
+except Exception:  # optional dependency fallback
+    certifi = None
+
 import codec
 from constants import (
     BATCH_MAX,
@@ -175,6 +180,14 @@ class DomainFronter:
 
     def _ssl_ctx(self) -> ssl.SSLContext:
         ctx = ssl.create_default_context()
+        # Some Python builds on macOS ship without a usable system CA path.
+        # Prefer certifi's CA bundle when available to avoid spurious
+        # CERTIFICATE_VERIFY_FAILED errors on valid public certificates.
+        if certifi is not None:
+            try:
+                ctx.load_verify_locations(cafile=certifi.where())
+            except Exception:
+                pass
         if not self.verify_ssl:
             ctx.check_hostname = False
             ctx.verify_mode = ssl.CERT_NONE

src/h2_transport.py

@@ -20,6 +20,11 @@ import socket
 import ssl
 from urllib.parse import urlparse
 
+try:
+    import certifi
+except Exception:  # optional dependency fallback
+    certifi = None
+
 import codec
 
 log = logging.getLogger("H2")
@@ -106,6 +111,13 @@ class H2Transport:
     async def _do_connect(self):
         """Establish the HTTP/2 connection with optimized socket settings."""
         ctx = ssl.create_default_context()
+        # Some Python builds don't expose a usable default CA store.
+        # Load certifi bundle when present to keep TLS verification stable.
+        if certifi is not None:
+            try:
+                ctx.load_verify_locations(cafile=certifi.where())
+            except Exception:
+                pass
         # Advertise both h2 and http/1.1 — some DPI blocks h2-only ALPN
         ctx.set_alpn_protocols(["h2", "http/1.1"])
         if not self.verify_ssl:

src/proxy_server.py

@@ -15,6 +15,11 @@ import time
 import ipaddress
 from urllib.parse import urlparse
 
+try:
+    import certifi
+except Exception:  # optional dependency fallback
+    certifi = None
+
 from constants import (
     CACHE_MAX_MB,
     CACHE_TTL_MAX,
@@ -862,6 +867,11 @@ class ProxyServer:
 
         # Step 2: open outgoing TLS to target IP with the safe SNI
         ssl_ctx_client = ssl.create_default_context()
+        if certifi is not None:
+            try:
+                ssl_ctx_client.load_verify_locations(cafile=certifi.where())
+            except Exception:
+                pass
         if not self.fronter.verify_ssl:
             ssl_ctx_client.check_hostname = False
             ssl_ctx_client.verify_mode = ssl.CERT_NONE