fix(ssl): use default SSL context for all httpx calls; add opt-out verify for debugging

[phymbert]

Summary

While testing OpenHands behind enterprise TLS interception/self-signed corporate roots, I hit SSL: CERTIFICATE_VERIFY_FAILED. Many orgs install a private root CA in the OS trust store; however several httpx clients weren’t explicitly using a default SSL context.

This PR ensures all httpx calls consistently use the expected system default SSL context. It also adds a debug-only escape hatch to disable verification via config/env vars when needed.

What’s changed

• Introduce openhands.utils.http_session:
  • httpx_verify_option() for consistent verify= across httpx clients (async & sync).
  • Shared client management + configure_http_session(verify=...).
  • Honors env vars: INSECURE_SKIP_VERIFY (also accepts OPENHANDS_INSECURE_SKIP_VERIFY) — default is secure (verify on).
• Wire default SSL behavior everywhere we create httpx clients:
  • Enterprise modules (e.g., Jira Cloud/DC, Linear), OAuth/key routes, billing, nested conversation managers, providers, storage webhooks, local runtime readiness checks, Git services, resolvers, etc.
• Config & docs:
  • config.template.toml: add insecure_skip_verify (commented, NOT recommended).
  • openhands/core/config/openhands_config.py: add insecure_skip_verify: bool | None.
  • openhands/core/config/utils.py: call configure_http_session() based on config/env.
  • docs/usage/environment-variables.mdx: document INSECURE_SKIP_VERIFY.
• Backwards compatible: by default we still verify certificates; behavior is unchanged for secure setups.

Motivation

• Enterprises often use a self-signed corporate root CA. Using the system default SSL context lets requests succeed once that root is present in the OS trust store.
• A temporary opt-out (insecure_skip_verify) helps debug TLS issues without blocking critical flows (e.g., first-time setup, CI smoke tests).

Usage notes

• Secure default: No change required if your environment has proper trust roots installed.
• Temporary debug override (NOT recommended for production):
  • Env: INSECURE_SKIP_VERIFY=true
  • Or config.toml:

    # Skip TLS certificate verification for outbound HTTP requests (NOT recommended)
    insecure_skip_verify = true

• I also touched the enterprise module (planning to try Jira integration soon), feel free to ask for or to commit additional changes.

Testing

• ✅ Verified success against an internal endpoint with a corporate root CA installed in the OS trust store (ubuntu based docker + bitbucket endpoint).
• ✅ Verified failure → success flip when toggling INSECURE_SKIP_VERIFY.

Security considerations

• Verification remains enabled by default.
• insecure_skip_verify is explicitly documented as NOT recommended and intended for temporary debugging only.

Thanks

Really happy to use OpenHands — huge thanks to the team and the community for the awesome project and support 🙏

[phymbert]

I dont think linter issues are related to the changes, tell me if you want me to fix them.