fix: propagate ssl_verify in AsyncHTTPHandler retry paths and BaseLLMAIOHTTPHandler#30848
Conversation
Greptile SummaryThis PR propagates
Confidence Score: 3/5The http_handler.py changes are safe and correct; the aiohttp_handler.py change has a gap where string CA-bundle paths are accepted by the new parameter but silently dropped before reaching the transport. The AsyncHTTPHandler retry fix is well-scoped and correctly routes through get_ssl_configuration. The BaseLLMAIOHTTPHandler change widens the accepted type to Union[bool, str] at the class boundary, but _create_aiohttp_transport and _get_ssl_connector_kwargs only check ssl_verify is False; a CA-bundle file path is never loaded or applied, so users passing a string to BaseLLMAIOHTTPHandler would silently fall back to default SSL verification instead of their custom CA. litellm/llms/custom_httpx/aiohttp_handler.py — specifically the _get_or_create_transport path and how string ssl_verify values are not translated into an ssl.SSLContext before being handed to _create_aiohttp_transport
|
| Filename | Overview |
|---|---|
| litellm/llms/custom_httpx/aiohttp_handler.py | Adds ssl_verify to BaseLLMAIOHTTPHandler.init and forwards it to _create_aiohttp_transport; string CA-bundle paths are silently dropped because the underlying _get_ssl_connector_kwargs only handles Optional[bool] |
| litellm/llms/custom_httpx/http_handler.py | Stores ssl_verify on AsyncHTTPHandler instance and passes it through all four retry create_client() calls; correctly routes through get_ssl_configuration which handles bool, string, and SSLContext values |
Reviews (1): Last reviewed commit: "fix: propagate ssl_verify through BaseLL..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| client_session: Optional[aiohttp.ClientSession] = None, | ||
| transport: Optional[LiteLLMAiohttpTransport] = None, | ||
| connector: Optional[aiohttp.BaseConnector] = None, | ||
| ssl_verify: Optional[Union[bool, str]] = None, |
There was a problem hiding this comment.
BaseLLMAIOHTTPHandler now advertises ssl_verify: Optional[Union[bool, str]], accepting a CA-bundle file path (e.g. "/etc/ssl/my-ca.pem"). However, _create_aiohttp_transport (and its delegate _get_ssl_connector_kwargs) only handle Optional[bool]; a string value falls through both conditionals (ssl_context is not None and ssl_verify is False) and is silently ignored, leaving the transport with default SSL verification instead of the user's custom CA. Contrast this with AsyncHTTPHandler.create_client, which calls get_ssl_configuration(ssl_verify) first and properly converts a path to an ssl.SSLContext before configuring the transport. The aiohttp path should do the same.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
… remove trailing blank line
Added SSL configuration handling to transport creation.
1 participant
Problem
Fixes #30778
ssl_verifyis silently dropped in two places:AsyncHTTPHandlerretry paths —post(),put(),patch(), anddelete()all catchhttpx.RemoteProtocolError/httpx.ConnectErrorand recreate the client viaself.create_client(), but none passedssl_verify. This means any retry after a connection error ignores the user's SSL setting.BaseLLMAIOHTTPHandler—__init__had nossl_verifyparameter, so_get_or_create_transport()calledAsyncHTTPHandler._create_aiohttp_transport()without any SSL args.Fix
http_handler.pyssl_verifyon the instance asself.ssl_verifyinAsyncHTTPHandler.__init__ssl_verify=self.ssl_verifyin all four retrycreate_client()callsaiohttp_handler.pyssl_verify: Optional[Union[bool, str]] = Noneparameter toBaseLLMAIOHTTPHandler.__init__self.ssl_verifyAsyncHTTPHandler._create_aiohttp_transport(ssl_verify=self.ssl_verify)Testing
Both files already have
ssl_verifywired throughcreate_client()/_create_aiohttp_transport()for the normal (non-retry) path — this PR makes retries consistent with that existing behaviour.