Title:
[Bug] google-genai Python SDK overrides 'verify=False' in HttpOptions due to truthiness evaluation quirk
Description:
When attempting to disable SSL verification in corporate, air-gapped, or specific local-first developer environments (where local proxies or specific certificate authorities trigger [SSL: CERTIFICATE_VERIFY_FAILED] exceptions), passing verify=False to the SDK’s client initialization fails silently.
The configuration is overwritten back to the default strict SSL context, preventing developers from bypassing standard certificate handshakes natively via boolean arguments.
Root Cause Analysis:
Within the network/client transport layer mapping function that evaluates http_options and its underlying dictionary or class arguments, the conditional statement checking if a custom context or validation constraint has been intentionally altered likely relies on a check similar to:
if not ctx:
# Overwrite or fallback to standard strict default SSL verificationBecause False is structurally falsy in Python, not False evaluates to True. Consequently, when a developer intentionally sets verify=False to disable checks via standard HTTP-client convention (akin to httpx or requests), the SDK misinterprets the explicit instruction as an empty, unconfigured state and silently restores the default verifying SSL engine.
Verified Workaround:
The bug can be bypassed by constructing and passing an explicit, unverified custom ssl.SSLContext object instead of a boolean value, forcing the truthiness evaluation to pass:
import ssl
from google import genai
from google.genai import types
# Workaround: Force a falsy context to look truthy to the SDK parser
unverified_ssl_context = ssl.create_default_context()
unverified_ssl_context.check_hostname = False
unverified_ssl_context.verify_mode = ssl.CERT_NONE
client = genai.Client(
http_options=types.HttpOptions(
client_args={'verify': unverified_ssl_context},
async_client_args={'verify': unverified_ssl_context}
)
)Steps to Reproduce:
- Initialize the client on a machine/network requiring an unverified SSL environment (e.g., behind an inspection proxy).
- Set
client = genai.Client(http_options=types.HttpOptions(client_args={'verify': False})).
- Try any basic text generation loop like
client.models.generate_content(...).
- Observe that the configuration is ignored and the execution raises
[SSL: CERTIFICATE_VERIFY_FAILED].
Expected Behavior:
Setting verify=False should be natively honored and passed cleanly down to the underlying HTTP client transport layer without being caught and overwritten by default configurations.
Title:
[Bug] google-genai Python SDK overrides 'verify=False' in HttpOptions due to truthiness evaluation quirkDescription:
When attempting to disable SSL verification in corporate, air-gapped, or specific local-first developer environments (where local proxies or specific certificate authorities trigger
[SSL: CERTIFICATE_VERIFY_FAILED]exceptions), passingverify=Falseto the SDK’s client initialization fails silently.The configuration is overwritten back to the default strict SSL context, preventing developers from bypassing standard certificate handshakes natively via boolean arguments.
Root Cause Analysis:
Within the network/client transport layer mapping function that evaluates
http_optionsand its underlying dictionary or class arguments, the conditional statement checking if a custom context or validation constraint has been intentionally altered likely relies on a check similar to:Because
Falseis structurally falsy in Python,not Falseevaluates toTrue. Consequently, when a developer intentionally setsverify=Falseto disable checks via standard HTTP-client convention (akin tohttpxorrequests), the SDK misinterprets the explicit instruction as an empty, unconfigured state and silently restores the default verifying SSL engine.Verified Workaround:
The bug can be bypassed by constructing and passing an explicit, unverified custom
ssl.SSLContextobject instead of a boolean value, forcing the truthiness evaluation to pass:Steps to Reproduce:
client = genai.Client(http_options=types.HttpOptions(client_args={'verify': False})).client.models.generate_content(...).[SSL: CERTIFICATE_VERIFY_FAILED].Expected Behavior:
Setting
verify=Falseshould be natively honored and passed cleanly down to the underlying HTTP client transport layer without being caught and overwritten by default configurations.