From 8c087a988f74f82a731773c4cfecf74a2daf0018 Mon Sep 17 00:00:00 2001
From: Thomas Farstrike <thomasverstreken@protonmail.com>
Date: Wed, 18 Feb 2026 18:11:23 +0100
Subject: [PATCH] DownloadManager: make certificates explicit

---
 internal_filesystem/lib/mpos/net/download_manager.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/internal_filesystem/lib/mpos/net/download_manager.py b/internal_filesystem/lib/mpos/net/download_manager.py
index ca5e3b8f..2bc30843 100644
--- a/internal_filesystem/lib/mpos/net/download_manager.py
+++ b/internal_filesystem/lib/mpos/net/download_manager.py
@@ -105,6 +105,9 @@ class DownloadManager:
             print("DownloadManager: aiohttp not available")
             raise ImportError("aiohttp module not available")
         
+        import ssl
+        sslctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+        sslctx.verify_mode = ssl.CERT_OPTIONAL # CERT_REQUIRED might fail because MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED
         session = aiohttp.ClientSession()
         print("DownloadManager: Created new aiohttp session")
         print(f"DownloadManager: Downloading {url}")
@@ -115,7 +118,7 @@ class DownloadManager:
             if headers is None:
                 headers = {}
             
-            async with session.get(url, headers=headers) as response:
+            async with session.get(url, headers=headers, ssl=sslctx) as response:
                 if response.status < 200 or response.status >= 400:
                     print(f"DownloadManager: HTTP error {response.status}")
                     raise RuntimeError(f"HTTP {response.status}")