PYTHON-5040 Use PROTOCOL_TLS_CLIENT in http_post for Python 3.14

blink1073 · blink1073 · commit b317e1d11e04 · 2026-06-10T13:20:19.000-05:00
Python 3.14 sets X509_V_FLAG_X509_STRICT in ssl.create_default_context(), which requires Subject Key Identifier on all certs including the root CA. We intentionally omit SKI from the CA cert because adding it causes macOS SecTrust to trigger OCSP revocation checks during MongoDB 4.2 server startup, resulting in ~67-second connection timeouts. Using ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) instead gives the same security guarantees (certificate verification, hostname checking) without enabling strict mode, matching pre-Python-3.14 behavior.
diff --git a/test/asynchronous/test_encryption.py b/test/asynchronous/test_encryption.py
@@ -3045,7 +3045,13 @@ async def asyncSetUp(self):
     async def http_post(self, path, data=None):
         # Note, the connection to the mock server needs to be closed after
         # each request because the server is single threaded.
-        ctx = ssl.create_default_context(cafile=CA_PEM)
+        # Use PROTOCOL_TLS_CLIENT instead of create_default_context so that
+        # X509_V_FLAG_X509_STRICT is not set.  Python 3.14 enables strict mode
+        # in create_default_context, which requires SKI on the root CA cert.
+        # We intentionally omit SKI from the CA cert to prevent macOS SecTrust
+        # from triggering OCSP revocation checks during MongoDB 4.2 server startup.
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+        ctx.load_verify_locations(cafile=CA_PEM)
         ctx.load_cert_chain(CLIENT_PEM)
         conn = http.client.HTTPSConnection("127.0.0.1:9003", context=ctx)
         try:
diff --git a/test/test_encryption.py b/test/test_encryption.py
@@ -3027,7 +3027,13 @@ def setUp(self):
     def http_post(self, path, data=None):
         # Note, the connection to the mock server needs to be closed after
         # each request because the server is single threaded.
-        ctx = ssl.create_default_context(cafile=CA_PEM)
+        # Use PROTOCOL_TLS_CLIENT instead of create_default_context so that
+        # X509_V_FLAG_X509_STRICT is not set.  Python 3.14 enables strict mode
+        # in create_default_context, which requires SKI on the root CA cert.
+        # We intentionally omit SKI from the CA cert to prevent macOS SecTrust
+        # from triggering OCSP revocation checks during MongoDB 4.2 server startup.
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+        ctx.load_verify_locations(cafile=CA_PEM)
         ctx.load_cert_chain(CLIENT_PEM)
         conn = http.client.HTTPSConnection("127.0.0.1:9003", context=ctx)
         try:
