@nathanleiby I experimented a little with the verify option but don't think it verifies the entire CA chain.

Example: api.twitter.com, api.stripe.com or api.facebook.com will fail when verifying with our cert chain, but not api.github.com

requests.get('https://api.github.com', verify='path-to-our-cert-bundle')

returns a 200

Interesting- is this a new issue with clever.com_ca_bundle.crt or the same behavior as before?

Is not a issue with the new ca_bundle as far as I see. And the behavior does not seem very dangerous to me, since the only way to have a website be verified is to use the same CA (DigiCert High Assurance EV) as we use.

I'll experiment some more going forward and should add a comment in the code.

4480119