Got it, let's break down how to fix this issue. That [SSL: DH_KEY_TOO_SMALL] error happens because the legacy website you're targeting uses a short Diffie-Hellman (DH) cryptographic key—modern SSL/TLS clients block this by default to avoid security vulnerabilities. As you noticed, setting verify=False only skips certificate validation; it doesn't address the weak key restriction, which is why that didn't work for you.

Here are practical solutions for both synchronous and asynchronous httpx clients:

1. Use a Custom SSL Context with Relaxed Security Level #

The most reliable fix is to create a custom SSL context that lowers the OpenSSL security level to allow shorter DH keys. This aligns with how you likely solved the problem in requests, but httpx lets you pass the SSL context directly to the verify parameter.

Synchronous Client Example #

import ssl
import httpx

# Create a custom SSL context
ssl_context = ssl.create_default_context()
# Lower the security level to permit weak DH keys
ssl_context.set_ciphers('DEFAULT:@SECLEVEL=1')

# Initialize the httpx client with the custom context
with httpx.Client(verify=ssl_context) as client:
    response = client.get("https://your-old-site.com/your-xhr-endpoint")
    print(response.status_code)
    # Process your XHR response here

Asynchronous Client Example #

import ssl
import httpx
import asyncio

async def fetch_xhr_data():
    ssl_context = ssl.create_default_context()
    ssl_context.set_ciphers('DEFAULT:@SECLEVEL=1')
    
    async with httpx.AsyncClient(verify=ssl_context) as client:
        response = await client.get("https://your-old-site.com/your-xhr-endpoint")
        print(response.status_code)
        # Process your XHR response here

# Run the async function
asyncio.run(fetch_xhr_data())

2. Alternative: Adjust SSL Context Options (Less Recommended) #

If you prefer not to modify cipher suites, you can tweak SSL context options to enable older TLS versions (common on extremely outdated sites). This is less precise than adjusting the security level, but it might work for some cases:

import ssl
import httpx

ssl_context = ssl.create_default_context()
# Allow TLS 1.2 (many old sites only support this or older)
ssl_context.options &= ~ssl.OP_NO_TLSv1_2
# Optional: Uncomment below if the site uses even older TLS 1.1
# ssl_context.options &= ~ssl.OP_NO_TLSv1_1

with httpx.Client(verify=ssl_context) as client:
    response = client.get("https://your-old-site.com/your-xhr-endpoint")

Critical Notes #

• Security Tradeoff: Lowering the security level or enabling older TLS versions reduces connection security. Only use these fixes for websites you fully trust—weak DH keys are vulnerable to cryptographic attacks.
• Why verify=False Fails: This parameter only skips checks for valid SSL certificates. It doesn't override the client's restrictions on weak cryptographic keys, which is the root cause of your error.

内容的提问来源于stack exchange，提问作者Atralupus