Say you have a server that provides a cert chain

A -> B -> D

but D is actually signed by C, which is not provided by the chain.

(Unfortunately I have no control over this particular mistake so I can't get it fixed, and I don't even have a way to obtain C.)

Now obviously I can't just trust A and get things to work, but my problem is that even if I specify that I trust D verify="/path/to/d.pem, requests will still fail to connect.
This is in contrast with what curl does (--cacert /path/to/d.pem), where if the leaf is trusted it doesn't care that it can't find its issuer: it's specified as a root anyway.

Expected Result

Connects

Actual Result

requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.1.1', port=443): Max retries exceeded with url: /ws (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))

Reproduction Steps

Spawn an HTTPS server with an incomplete cert chain (e.g. no intermediate certificate).
Make a request to it using requests.

System Information

$ python -m requests.help

{
  "chardet": {
    "version": null
  },
  "charset_normalizer": {
    "version": "3.4.0"
  },
  "cryptography": {
    "version": ""
  },
  "idna": {
    "version": "3.10"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.11.10"
  },
  "platform": {
    "release": "6.12.33",
    "system": "Linux"
  },
  "pyOpenSSL": {
    "openssl_version": "",
    "version": null
  },
  "requests": {
    "version": "2.28.2"
  },
  "system_ssl": {
    "version": "30300030"
  },
  "urllib3": {
    "version": "1.26.20"
  },
  "using_charset_normalizer": true,
  "using_pyopenssl": false
}