VERIFY_X509_PARTIAL_CHAIN

Author: sfc-gh-snoonan

src/snowflake/connector/connection_diagnostic.py

@@ -240,6 +240,10 @@ def __test_socket_get_cert(
 
                 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
                 context.load_verify_locations(certifi.where())
+                # Best-effort: enable partial-chain when supported
+                _partial_flag = getattr(ssl, "VERIFY_X509_PARTIAL_CHAIN", 0)
+                if _partial_flag and hasattr(context, "verify_flags"):
+                    context.verify_flags |= _partial_flag
                 sock = context.wrap_socket(conn, server_hostname=host)
                 certificate = ssl.DER_cert_to_PEM_cert(sock.getpeercert(True))
                 http_request = f"""GET / {host}:{port} HTTP/1.1\r\n

test/unit/test_ssl_partial_chain_handshake.py

@@ -150,7 +150,7 @@ def test_partial_chain_handshake_succeeds_with_intermediate_as_anchor():
     host, port = addr_holder[0]
 
     # Build PyOpenSSL context with only intermediate as trust anchor
-    ctx = ssw._build_pyopenssl_context_with_ca_and_partial_chain(
+    ctx = ssw._build_context_with_partial_chain(
         None
     )  # pylint: disable=protected-access
     # Load intermediate into store via PEM file path by reusing helper