2.32.5 breaks passing custom SSL context

[Tasssadar]

2.32.5 change 90fee08 breaks passing of custom ssl context using an adapter like this:

class SSLContextAdapter(requests.adapters.HTTPAdapter):
    @override
    def init_poolmanager(self, *args: Any, **kwargs: Any) -> Any:
        kwargs["ssl_context"] = ssl.create_default_context()
        return super().init_poolmanager(*args, **kwargs)  # type: ignore

ssl_adapter = SSLContextAdapter()
session.mount("https://", ssl_adapter)

Now, if verify=True, the code in

requests/src/requests/adapters.py

Lines 292 to 313 in 90fee08

	if url.lower().startswith("https") and verify:
	cert_loc = None
	# Allow self-specified cert location.
	if verify is not True:
	cert_loc = verify
	if not cert_loc:
	cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
	if not cert_loc or not os.path.exists(cert_loc):
	raise OSError(
	f"Could not find a suitable TLS CA certificate bundle, "
	f"invalid path: {cert_loc}"
	)
	conn.cert_reqs = "CERT_REQUIRED"
	if not os.path.isdir(cert_loc):
	conn.ca_certs = cert_loc
	else:
	conn.ca_cert_dir = cert_loc

always sets ca_certs, which causes urllib3 to modify the ssl_context by loading more certs into it here.

EDIT: I can be fixed by overriding also cert_verify:

class SSLContextAdapter(requests.adapters.HTTPAdapter):
    @override
    def init_poolmanager(self, *args: Any, **kwargs: Any) -> Any:
        kwargs["ssl_context"] = ssl.create_default_context()
        return super().init_poolmanager(*args, **kwargs)  # type: ignore

    @override
    def cert_verify(self, *_args: Any, **_kwargs: Any) -> None:
        pass


ssl_adapter = SSLContextAdapter()
session.mount("https://", ssl_adapter)

I'd say this belongs to documentation and needs some tests, so that future changes don't break it again - will prepare a PR if I'll have time.