Provide flag for using "load default certs" from Python's standard library for the SSL Context #11038
Comments
notatallshaw
added
S: needs triage
uranusjr
added
state: awaiting PR
|
Given this comment which clarifies the background (at least to me!) this seems reasonable. However, I worry that people won't understand the subtle difference between "use system certs" and "load default store". I don't think it's reasonable to expect pip users to understand the details of the stdlib SSL module (I certainly don't!) and even if they did, I see no mention in the stdlib docs of the possible cases mentioned in the linked thread where this flag wouldn't work as expected. All of which means, I'd like the docs for this feature to be very clear on what it does and doesn't promise. And that's not just for users, it's for future maintainers trying to understand whether a claimed issue is or is not a bug. |
I don't disagree this is nuanced, but such is the case when dealing with SSL options. Even in
This is the relevant quote in the stdlib docs:
And to your final point this is essentially all it is promising, that what ever happens to be in the CA and ROOT system stores (at least on Windows) is what is used to verify the HTTPS request to the Python index. I think the main point the docs in Pip would need to explain is it's only https requests Pip is making (just like the other SSL options pip provides), and the purpose is to "Load a set of default CA certificates from default locations" as per the stdlib docs: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_default_certs Finally this would help support any user on Windows where their organization stores their own CA locally and all HTTPS connections are validated against that CA. Which my understanding is quite a lot of organizations do this these days but it's hard to get a grasp on numbers. It does not help users where the CA being used to validate the HTTPS call is only used by Pip. This would be the edge case that is not supported by this standard library method. And users wishing this must develop a workaround where the CA is loaded in to the system store first. p.s. I am currently negotiating with my new employer the remit of my ability to submit PRs to open source projects, once I get a chance I will be happy to submit a PR. But don't let that stop anyone else sufficiently motivated 🙂 |
|
@davisagli and I created truststore so that Python can verify certificates using native operating system APIs. This library could be used as a potential solution for this issue? We use OpenSSL for the handshake but then pass the peer certificate chain to OS cert verification APIs like Security framework on macOS and CryptoAPI on Windows. The peer certificate chain is grabbed from experimental APIs in the The library currently only supports Python 3.10+ so would need to be optional for now. The library also supports loading additional CA certificates into the |
|
@sethmlarson this looks excellent! And is actually more akin to #10961 than the current issue (subtly the difference between the two issue is that was asking for the system certificate store but there is an edge case to using Though with that said my main concern is that Pip actually isn't the right place to adopt this. It would mean vendoring the library Wouldn't it make more sense to have popular HTTP backends like Prior art already exists of using |
Seth maintains urllib3 so I assume at least one of these will happen at some point :p I believe the intention of bringing this into pip before any popular library is that pip is the perfect real-world testing ground. With |
|
Oh super! I didn't realize, sorry for the comment with not enough understanding of who was providing this info. |
|
@uranusjr Yes, exactly! Introducing into an HTTP library would either be an abrupt change if made required or likely will be unused if hidden behind a flag. Best to start in a place that already has a concept of feature flags and has a group of users with issues that truststore solves. To give a bit of status where we are with the project: the basic functionality works but will likely have some edge cases that our relatively small test suite hasn't covered. We're working to test how the library behaves in more situations and implement+document how each operating system API interacts with corresponding OpenSSL-esque |
|
Should we keep this open, or does supporting |
uranusjr
added
S: awaiting response
|
As I understand it from the blog post supporting truststore covers this. The only issue is that you need to boostrap truststore in to the Python environment first (may require using trusted host arg to install). Hopefully this will eventually not be required. |
|
Yeah we’re going to vendor truststore at some point, when it’s more stable. |
pradyunsg
removed
the
S: awaiting response
What's the problem this feature will solve?
As discussed in #10777 and #10961 .
In practice it will let Pip use the platform's certificate store. There is at least one edge case on Windows where this might not work as simply as that but idea is flag will defer entirely to the documentation in the standard library: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_default_certs
Describe the solution you'd like
Optional flag to allow load default certs for Pip's SSLContext.
Alternative Solutions
Don't provide
Additional context
Allows some users to use this instead of "trusted_host" over HTTP, or trying to manually extract their certificate store in to a file (which is not always possible on Windows).
Code of Conduct
The text was updated successfully, but these errors were encountered: