From 6e2a933340985b2efcaa31b8a0a0dcf74b227bd5 Mon Sep 17 00:00:00 2001
From: Richard Si <sichard26@gmail.com>
Date: Sun, 20 Apr 2025 20:25:19 -0400
Subject: [PATCH] Inject SSL context into urllib3 ProxyManager, too

When a proxy is involved, requests uses a urllib3 proxy manager instead of
the pool manager. We only inject our SSL context into the pool manager,
which means the truststore context is lost when a proxy is set.

We can modify proxy manager construction by overriding proxy_manager_for
on the requests adapters.
---
 news/13343.bugfix.rst                | 1 +
 src/pip/_internal/network/session.py | 8 ++++++++
 2 files changed, 9 insertions(+)
 create mode 100644 news/13343.bugfix.rst

diff --git a/news/13343.bugfix.rst b/news/13343.bugfix.rst
new file mode 100644
index 00000000000..5462b1b3fb8
--- /dev/null
+++ b/news/13343.bugfix.rst
@@ -0,0 +1 @@
+Ensure truststore feature remains active even when a proxy is also in use.
diff --git a/src/pip/_internal/network/session.py b/src/pip/_internal/network/session.py
index 5e10f8f5615..d38b5067fba 100644
--- a/src/pip/_internal/network/session.py
+++ b/src/pip/_internal/network/session.py
@@ -54,6 +54,7 @@
     from ssl import SSLContext
 
     from pip._vendor.urllib3.poolmanager import PoolManager
+    from pip._vendor.urllib3.proxymanager import ProxyManager
 
 
 logger = logging.getLogger(__name__)
@@ -286,6 +287,13 @@ def init_poolmanager(
             **pool_kwargs,
         )
 
+    def proxy_manager_for(self, proxy: str, **proxy_kwargs: Any) -> "ProxyManager":
+        # Proxy manager replaces the pool manager, so inject our SSL
+        # context here too. https://github.com/pypa/pip/issues/13288
+        if self._ssl_context is not None:
+            proxy_kwargs.setdefault("ssl_context", self._ssl_context)
+        return super().proxy_manager_for(proxy, **proxy_kwargs)  # type: ignore[misc]
+
 
 class HTTPAdapter(_SSLContextAdapterMixin, _BaseHTTPAdapter):
     pass