Patch preloaded SSLContext in Requests

Co-authored-by: Seth Michael Larson <[email protected]>

Author: timo-reymann

.github/workflows/ci.yml

@@ -84,7 +84,7 @@ jobs:
   compileall:
     # Run 'python -m compileall' on an old Python version
     # to ensure that pip can vendor truststore successfully.
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04 # pin to 22.04, as with 24.04 Python 3.7 is no longer available
     name: compileall
     steps:
       - uses: actions/checkout@v4

src/truststore/_api.py

@@ -5,7 +5,7 @@
 import sys
 import typing
 
-import _ssl  # type: ignore[import-not-found]
+import _ssl
 
 from ._ssl_constants import (
     _original_SSLContext,
@@ -43,6 +43,23 @@ def inject_into_ssl() -> None:
     except ImportError:
         pass
 
+    # requests starting with 2.32.0 added a preloaded SSL context to improve concurrent performance;
+    # this unfortunately leads to a RecursionError, which can be avoided by patching the preloaded SSL context with
+    # the truststore patched instance
+    # also see https://github.com/psf/requests/pull/6667
+    try:
+        import requests.adapters
+
+        preloaded_context = getattr(requests.adapters, "_preloaded_ssl_context", None)
+        if preloaded_context is not None:
+            setattr(
+                requests.adapters,
+                "_preloaded_ssl_context",
+                SSLContext(ssl.PROTOCOL_TLS_CLIENT),
+            )
+    except ImportError:
+        pass
+
 
 def extract_from_ssl() -> None:
     """Restores the :class:`ssl.SSLContext` class to its original state"""