From 45ac0dc7a4c5ee570d643d89f31119feeb5af3d5 Mon Sep 17 00:00:00 2001
From: Nicole Rappe <nicole.rappe@bunny-lab.io>
Date: Sat, 18 Oct 2025 05:31:12 -0600
Subject: [PATCH] Fix Socket.IO TLS context for pinned certificates

---
 Data/Agent/agent.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/Data/Agent/agent.py b/Data/Agent/agent.py
index aaaa749..1647f78 100644
--- a/Data/Agent/agent.py
+++ b/Data/Agent/agent.py
@@ -931,8 +931,15 @@ class AgentHttpClient:
             context = None
             if isinstance(verify, str) and os.path.isfile(verify):
                 try:
-                    context = ssl.create_default_context(cafile=verify)
+                    # ``create_default_context`` expects a proper CA bundle and
+                    # will reject self-signed leaf certificates that we pin on
+                    # disk. Build a dedicated client context instead and load
+                    # the pinned certificate as a trust anchor so the SYSTEM
+                    # agent can complete TLS handshakes identical to Requests.
+                    context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
                     context.check_hostname = False
+                    context.verify_mode = ssl.CERT_REQUIRED
+                    context.load_verify_locations(cafile=verify)
                     _log_agent(
                         f"SocketIO TLS alignment created SSLContext from cafile={verify}",
                         fname="agent.log",