Fix Socket.IO TLS context for pinned certificates

2025-10-26 17:41:58 -06:00 · 2025-10-18 05:31:12 -06:00
parent 3a71cc4c42
commit 45ac0dc7a4
1 changed files with 8 additions and 1 deletions
--- a/Data/Agent/agent.py
+++ b/Data/Agent/agent.py
@@ -931,8 +931,15 @@ class AgentHttpClient:
            context = None
            if isinstance(verify, str) and os.path.isfile(verify):
                try:
-                    context = ssl.create_default_context(cafile=verify)
+                    # ``create_default_context`` expects a proper CA bundle and
+                    # will reject self-signed leaf certificates that we pin on
+                    # disk. Build a dedicated client context instead and load
+                    # the pinned certificate as a trust anchor so the SYSTEM
+                    # agent can complete TLS handshakes identical to Requests.
+                    context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
                    context.check_hostname = False
+                    context.verify_mode = ssl.CERT_REQUIRED
+                    context.load_verify_locations(cafile=verify)
                    _log_agent(
                        f"SocketIO TLS alignment created SSLContext from cafile={verify}",
                        fname="agent.log",