I am running into the exact same issue using Zscaler. 3.12.x was fine, 3.13.1 is broken. This can't be intended behavior, like what the **** is going on??? I don't get to choose the fact I have to pass the SSL certificate in order to connect to ANY https secured server (which is like... all of them), and I certainly don't have the authority to ask my large corporation to change the Basic Constraints of the root certificate to be strict. This is the error message I receive with a valid root certificate for Zscaler as of 3.13 (doesn't happen on 3.12):

httpcore.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1018)

This needs a fix ASAP. Whoever broke this so horrendously needs to explain themselves, because it can't be easily circumvented at all. Horrible bug, I literally cannot use 3.13.x at all on my company machine to do part of my job.