aio-libs
[TODO] Use `truststore` in place of `ssl` by default
Is your feature request related to a problem?
I mentioned this once or twice in the past. Now, I'm filing a tracking issue with action items.
People often face the problem of TLS certificate verification failing in the Python land while other tools in the same OS/runtime work. This is because Python's stdlib ssl is not set up to consult system trust stores.
The truststore library implements this with its drop-in replacement SSLContext and OS-specific API integrations. pip 24.2+ uses it by default and we should too.
This will improve the UX for our HTTP client. Though, the end-users can still use either stdlib ssl, or truststore-produce when passing an explicit context object.
Describe the solution you'd like
Relying on system-managed TLS trust stores when making HTTPS requests.
Action items:
- [ ] locate all places constructing
ssl.SSLContextobjects (may be created viassl.create_default_context()) - [ ] replace those with
truststore.SSLContext - [ ] in runtime, prefer
truststorewhich should be shielded on import with a fallback to just stdlibssl - [ ]
truststoreshould probably be a mandatory runtime dependency in packaging core metadata; although, maybe we need to follow pip's example and make it optional first (via extras or manual install) and then add it unconditionally later - [ ] document the priority and the compatibility considerations
Describe alternatives you've considered
N/A
Related component
Client
Additional context
- https://truststore.rtfd.io
- https://pypi.org/p/truststore
Code of Conduct
- [x] I agree to follow the aio-libs Code of Conduct
Apologies I forgot to add a comment here, but I'm working on it. You can assign me this issue, Thanks!
