Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Start using truststore for verifying with system CA certificates #11081

Closed
1 task done
sethmlarson opened this issue May 2, 2022 · 3 comments
Closed
1 task done

Start using truststore for verifying with system CA certificates #11081

sethmlarson opened this issue May 2, 2022 · 3 comments
Labels
type: feature request Request for a new feature

Comments

@sethmlarson
Copy link
Contributor

What's the problem this feature will solve?

Hello! @davisagli and I created truststore so that Python can verify certificates using native operating system APIs. We figure that with pip's usage behind corporate proxies and custom package indices this functionality would be useful to pip users.

We use OpenSSL for the handshake but then pass the peer certificate chain to OS cert verification APIs like Security framework on macOS and CryptoAPI on Windows. The peer certificate chain is grabbed from experimental APIs in the ssl module but after speaking to @tiran the APIs will be in their same state in Python 3.11.

Describe the solution you'd like

The library currently only supports Python 3.10+ so would need to be optional for now, perhaps behind a --use-feature flag? The library also supports loading additional CA certificates into the SSLContext. To ensure that no certificate chains that previously verified using only certifi would stop verifying (although I believe this situation would be rare) the SSLContext could be loaded with certifi certs in addition to using the system store, if desired.

Alternative Solutions

N/A

Additional context

N/A

Code of Conduct
@sethmlarson sethmlarson added S: needs triage Issues/PRs that need to be triaged type: feature request Request for a new feature labels May 2, 2022
@pradyunsg
Copy link
Member

How close is this request to #11038? It might make sense to consolidate the discussion and mention this there. :)

@pradyunsg pradyunsg added resolution: duplicate Duplicate of an existing issue/PR and removed S: needs triage Issues/PRs that need to be triaged resolution: duplicate Duplicate of an existing issue/PR labels May 2, 2022
@pradyunsg
Copy link
Member

Bah, we don't have a potential-duplicate label. :)

@pradyunsg pradyunsg added the S: awaiting response Waiting for a response/more information label May 2, 2022
@sethmlarson
Copy link
Contributor Author

Totally down to close this as a duplicate, I can bring the discussion to that issue. Thanks!

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 2, 2022
@pradyunsg pradyunsg removed the S: awaiting response Waiting for a response/more information label Mar 17, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type: feature request Request for a new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pradyunsg @sethmlarson