The fallback uses CERT_NONE + default verify paths, and QwenPaw still passes certifi 's cacert.pem via SSL_CERT_FILE / REQUESTS_CA_BUNDLE env vars, so actual HTTPS verification works through the cert ...