Add docs and tests for Requests support

[sethmlarson]

Closes #66

[davisagli]

Thanks!

[sethmlarson]

Interesting the Python 3.10 and macOS for Requests seems to be consistently failing on revoked.badssl.com but urllib3 works fine. I wonder why that is? 😕

[davisagli]

I'm busy this morning but will take a look later. Maybe the flags related to revocation checks are not getting set correctly when the certifi CA certs have been loaded.

[davisagli]

@sethmlarson I added code to explicitly configure macOS security policy to require revocation checks when verify_flags includes VERIFY_CRL_CHECK_CHAIN. I'm still not really sure why the behavior was different when testing with requests; it seems the presence of the certifi CAs somehow caused macOS to either not do revocation checks it was otherwise doing, or to ignore failures when trying to do them.

[davisagli]

@sethmlarson approving so it's mergeable since you opened the PR, but I'd appreciate if you could take a look at the part I added first.

[sethmlarson]

@davisagli Do we need to CFRelease the ssl_policy and revocation_policy objects below as well?

[davisagli]

@sethmlarson Yes, having reviewed docs about CoreFoundation memory management more closely, I think you're right.

[sethmlarson]

@davisagli This is a strange message for the situation, makes me think of certificate pinning or macOS minimum requirements for certs. What's the full error message here if you have that handy?

[davisagli]

SSLCertVerificationError('"*.badssl.com","R3","ISRG Root X1" certificates do not meet pinning requirements')

Here is someone else configuring a revocation security policy similar to us, who noted that it's returning errSecIncompleteCertRevocationCheck = -67635 indicating that a revocation check could not be completed (which makes more sense), but that CFErrorCopyDescription is returning the wrong error message for that error code: https://developer.apple.com/forums/thread/706629

[sethmlarson]

Nice find!! That looks like exactly what we're experiencing.