Issue Station
Sign In
Tools hereToolbox

hermes - ✅(Solved) Fix DeprecationWarning: deprecated in httpx (ssl.create_default_context) [3 pull requests, 1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
NousResearch/hermes-agent#12706Fetched 2026-04-20 12:17:17
View on GitHub
Comments
0
Participants
1
Timeline
9
Reactions
0
Author
maxdp66maxdp66
Participants
maxdp66maxdp66
Timeline (top)
referenced ×5cross-referenced ×3closed ×1

Fix Action

Fixed

PR fix notes

PR #12761: fix: use ssl.create_default_context() for httpx verify param

Description (problem / solution / changelog)

Problem

When a custom CA bundle is configured, _resolve_verify()\ returns the raw file path string, which triggers a \DeprecationWarning\ from httpx:

\
DeprecationWarning: \ erify=<str>\ is deprecated. Use \ erify=ssl.create_default_context(cafile=...)\ instead. \\

This will break in a future httpx release when the deprecated API is removed.

Fix

In _resolve_verify(), return \ssl.create_default_context(cafile=ca_path)\ instead of the raw path string.

Fixes #12706

Changed files

  • agent/auxiliary_client.py (modified, +1/-1)
  • hermes_cli/auth.py (modified, +3/-2)

PR #12830: fix(auth): use ssl.SSLContext for CA bundle instead of deprecated string path

Description (problem / solution / changelog)

What changed

_resolve_verify() in hermes_cli/auth.py now returns ssl.SSLContext instead of a raw file path string when a custom CA bundle is configured. This aligns with httpx's API expectations — verify=<str> is deprecated in favor of verify=ssl.SSLContext.

Before: When a custom CA bundle was configured (via HERMES_CA_BUNDLE, SSL_CERT_FILE, or auth state), _resolve_verify() returned the file path as a string. Recent versions of httpx deprecated verify=<str>, producing deprecation warnings.

After: Returns ssl.create_default_context(cafile=<path>), which is the recommended way to pass custom CA bundles to httpx and other HTTP libraries.

Changes:

  • hermes_cli/auth.py: Return ssl.SSLContext instead of str; use module-level logger instead of inline import
  • tests/hermes_cli/test_auth_nous_provider.py: Updated existing tests to assert isinstance(result, ssl.SSLContext) with mocked PEM loading
  • tests/test_resolve_verify_ssl_context.py: New comprehensive test suite covering all return paths

How to test

  1. Set a custom CA bundle: export HERMES_CA_BUNDLE=/path/to/ca-bundle.crt
  2. Run any authenticated command and verify no deprecation warnings
  3. Run the test suite: 
    pytest tests/test_resolve_verify_ssl_context.py tests/hermes_cli/test_auth_nous_provider.py -v

Platforms tested

  • Linux (Docker container, Python 3.11)

Closes #12706

Changed files

  • hermes_cli/auth.py (modified, +4/-4)
  • tests/hermes_cli/test_auth_nous_provider.py (modified, +20/-4)
  • tests/test_resolve_verify_ssl_context.py (added, +84/-0)

PR #12838: fix(auth): use ssl.SSLContext for CA bundle instead of deprecated string path

Description (problem / solution / changelog)

Salvage of #12830 by @Tranquil-Flow. Closes #12706.

Hermes no longer emits DeprecationWarning: \verify=<str>` is deprecated` from httpx when a custom CA bundle is configured.

Changes

  • hermes_cli/auth.py _resolve_verify(): returns ssl.create_default_context(cafile=path) instead of the raw path string; uses the module-level logger instead of an inline import logging. Consumer sites at lines 1927 / 2022 / 2218 / 3208 pass the return value to httpx.Client(verify=...) — httpx 0.28.x accepts ssl.SSLContext cleanly.
  • tests/hermes_cli/test_auth_nous_provider.py: updated two tests to assert isinstance(result, ssl.SSLContext) with a monkeypatched ssl.create_default_context so no real PEM is loaded.

Dropped the contributor's new tests/test_resolve_verify_ssl_context.py — it used ssl.get_default_verify_paths().cafile at module load, which is None on macOS and several Linux builds, making 3 of its 6 tests non-portable. The updated tests in test_auth_nous_provider.py already cover every _resolve_verify return path platform-agnostically via tmp_path.

Validation

  • scripts/run_tests.sh tests/hermes_cli/test_auth_nous_provider.py → 24/24 pass.
  • E2E with real httpx.Client(verify=<returned_ctx>) against /etc/ssl/certs — no deprecation warning fires; the same client with the raw path string still warns (confirms the bug and the fix).

Changed files

  • hermes_cli/auth.py (modified, +4/-4)
  • tests/hermes_cli/test_auth_nous_provider.py (modified, +20/-4)

Code Example

/root/.hermes/hermes-agent/venv/lib/python3.11/site-packages/httpx/_config.py:51: DeprecationWarning: `verify=<str>` is deprecated. Use `verify=ssl.create_default_context(cafile=...)` or `verify=ssl.create_default_context(capath=...)` instead.

---

return ca_path

---

return ssl.create_default_context(cafile=ca_path)
RAW_BUFFERClick to expand / collapse

When interacting with Hermes, the following deprecation warning appears in stderr:

/root/.hermes/hermes-agent/venv/lib/python3.11/site-packages/httpx/_config.py:51: DeprecationWarning: `verify=<str>` is deprecated. Use `verify=ssl.create_default_context(cafile=...)` or `verify=ssl.create_default_context(capath=...)` instead.

Source: hermes_cli/auth.py, function _resolve_verify() (line 1650). When a custom CA bundle is configured (via ca_bundle config, HERMES_CA_BUNDLE, or SSL_CERT_FILE env var), it returns the raw file path string on line 1681. This string is then passed to httpx.Client(verify=verify) at lines 1846, 1952, 2025, 2228, and 3208.

Fix: In _resolve_verify(), line 1681, replace:

return ca_path

with:

return ssl.create_default_context(cafile=ca_path)

This is harmless for now but will break in a future httpx version when the deprecated API is removed.

extent analysis

TL;DR

To fix the deprecation warning, update the _resolve_verify() function in hermes_cli/auth.py to return an SSL context instead of a raw file path string.

Guidance

  • The deprecation warning is caused by passing a string to the verify parameter of httpx.Client, which will be removed in a future version of httpx.
  • To verify the fix, run the Hermes interaction that previously triggered the warning and check that the warning no longer appears in stderr.
  • Update the _resolve_verify() function to return ssl.create_default_context(cafile=ca_path) instead of just ca_path to fix the issue.
  • Make sure to test the updated code with different CA bundle configurations to ensure it works as expected.

Example

import ssl

def _resolve_verify():
    # ...
    ca_path = ...  # custom CA bundle path
    return ssl.create_default_context(cafile=ca_path)

Notes

This fix assumes that the ssl module is available and that the custom CA bundle is in a file that can be used with ssl.create_default_context(). If the CA bundle is in a different format, additional modifications may be needed.

Recommendation

Apply the workaround by updating the _resolve_verify() function to return an SSL context, as this will ensure compatibility with future versions of httpx.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#installation#tensor shape#autograd error#model save/load

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING