Skip to content

fix: replace module-level SSLContext with verify=True to prevent event loop blocking#48

Open
diegolameira wants to merge 1 commit into
alandtse:mainfrom
diegolameira:fix/async-ssl-context-blocking
Open

fix: replace module-level SSLContext with verify=True to prevent event loop blocking#48
diegolameira wants to merge 1 commit into
alandtse:mainfrom
diegolameira:fix/async-ssl-context-blocking

Conversation

@diegolameira
Copy link
Copy Markdown

@diegolameira diegolameira commented Apr 14, 2026
edited by coderabbitai Bot
Loading

Problem

The default session_factory in AuthCaptureProxy.__init__ uses:

ssl_context = create_default_context()  # module level
...
lambda: httpx.AsyncClient(verify=ssl_context)

When this factory is called inside an async event loop (e.g., from reset_data() during a Home Assistant config flow), httpx internally calls ssl.SSLContext.load_verify_locations(), which is a blocking I/O operation.

On Python 3.13+ and Home Assistant 2024.10+, this triggers:

Detected blocking call to load_verify_locations with args (<ssl.SSLContext ...>)
inside the event loop by custom integration 'alexa_media'

In some configurations (especially with HA 2026.4+ / Python 3.14), this blocking call can cause HA Core to crash with exit code 100 and enter a restart loop, making the entire instance unreachable.

Fix

Replace verify=ssl_context with verify=True. This lets httpx handle SSL verification through its own default certifi CA bundle — same security level, no blocking call.

The module-level create_default_context() and its import are also removed since they're no longer needed (the SSLContext import is retained for start_proxy()).

Related Issues

Testing

  • Verified on Home Assistant 2026.4.1 (Python 3.14) with alexa_media_player 5.15.0
  • Before fix: HA enters crash/restart loop with exit code 100, load_verify_locations blocking warnings
  • After fix: HA boots cleanly, alexa_media loads without blocking warnings

Summary by CodeRabbit

  • Refactor
    • Simplified internal SSL verification configuration for the auth proxy, streamlining how secure connections are established without affecting end-user functionality.

@diegolameira
fix: replace module-level SSLContext with verify=True to prevent even…
4d4888b 
…t loop blocking

The default session_factory used httpx.AsyncClient(verify=ssl_context) where
ssl_context was a module-level create_default_context() object. When this
factory is invoked inside an async event loop (e.g., from reset_data() during
Home Assistant config flow), httpx internally calls
ssl.SSLContext.load_verify_locations(), which is a blocking I/O operation.

On Python 3.13+ and Home Assistant 2024.10+, this triggers:
  'Detected blocking call to load_verify_locations inside the event loop'

Using verify=True instead lets httpx handle SSL verification through its own
default certifi CA bundle, achieving the same security level without the
blocking call.

Fixes: alandtse/alexa_media_player#3380
Fixes: alandtse/alexa_media_player#2504
Fixes: alandtse/alexa_media_player#2503
Fixes: alandtse/alexa_media_player#2625
Fixes: alandtse/alexa_media_player#2519
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 14, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9ff2faab-e3de-413b-92d6-3f4e00bf7693

📥 Commits

Reviewing files that changed from the base of the PR and between 67005c7 and 4d4888b.

📒 Files selected for processing (1)
  • authcaptureproxy/auth_capture_proxy.py

Walkthrough

The module-level SSL context preconfiguration has been removed from the auth capture proxy. The HTTP client session factory now relies on the default SSL verification behavior (verify=True) instead of using a custom preconfigured SSL context, and the corresponding import has been cleaned up.

Changes

Cohort / File(s) Summary
SSL Context Removal
authcaptureproxy/auth_capture_proxy.py		 Removed module-level ssl_context creation via create_default_context() and updated session factory to use default SSL verification (verify=True) instead of passing a preconfigured context. Removed unused import.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

SSL contexts melted away,
Default verification saves the day,
Three lines gone, simplicity gained,
The code now clean, no context strained. 🔐✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed Title clearly and specifically summarizes the main change: replacing a module-level SSLContext with verify=True to fix event loop blocking.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@ocean90 ocean90 mentioned this pull request Apr 27, 2026
Open
@danielbrunt57
Copy link
Copy Markdown
Contributor

danielbrunt57 commented Apr 28, 2026
edited
Loading

@diegolameira Please address the pull request test failure!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@diegolameira @danielbrunt57