feat(transport): Use env vars for default CA cert bundle location (#3160)

Many libraries use the SSL_CERT_FILE environment variable to point at a
CA bundle to use for HTTPS certificate verification. This is often used
in corporate environments with internal CAs or HTTPS hijacking proxies,
where the Sentry server presents a certificate not signed by one of the
CAs bundled with Certifi. Additionally, Requests, Python's most popular
HTTP client library, uses the REQUESTS_CA_BUNDLE variable instead.

Use the SSL_CERT_FILE or REQUESTS_CA_BUNDLE vars if present to set the
default CA bundle.

Fixes GH-3158

Co-authored-by: Neel Shah <[email protected]>

Author: DragoonAethis

sentry_sdk/transport.py

@@ -1,5 +1,6 @@
 from abc import ABC, abstractmethod
 import io
+import os
 import gzip
 import socket
 import time
@@ -457,7 +458,6 @@ def _get_pool_options(self, ca_certs):
         options = {
             "num_pools": self._num_pools,
             "cert_reqs": "CERT_REQUIRED",
-            "ca_certs": ca_certs or certifi.where(),
         }
 
         socket_options = None  # type: Optional[List[Tuple[int, int, int | bytes]]]
@@ -477,6 +477,13 @@ def _get_pool_options(self, ca_certs):
         if socket_options is not None:
             options["socket_options"] = socket_options
 
+        options["ca_certs"] = (
+            ca_certs  # User-provided bundle from the SDK init
+            or os.environ.get("SSL_CERT_FILE")
+            or os.environ.get("REQUESTS_CA_BUNDLE")
+            or certifi.where()
+        )
+
         return options
 
     def _in_no_proxy(self, parsed_dsn):