Skip to content

Truststore #3409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 21 commits into
base: master
Choose a base branch
from
Open

Truststore #3409

wants to merge 21 commits into from

Conversation

@lovelydinosaur
Copy link
Contributor

@lovelydinosaur lovelydinosaur commented Nov 21, 2024
edited
Loading

Refs #302.

Switch from certifi to truststore in order to enable system trust stores as our default SSL behavior. Related… #3404 (comment)

Requires us to bump our Python requirement from 3.8 to 3.10.

lovelydinosaur
lovelydinosaur commented Nov 21, 2024
View reviewed changes
@lovelydinosaur lovelydinosaur mentioned this pull request Nov 22, 2024
Closed
lovelydinosaur
lovelydinosaur commented Nov 28, 2024
View reviewed changes
@lovelydinosaur lovelydinosaur marked this pull request as ready for review November 28, 2024 11:41
@lovelydinosaur
Copy link
Contributor Author

lovelydinosaur commented Nov 28, 2024
edited
Loading

Looking at PyPI stats we've currently still got fairly significant 3.9 usage.

Perhaps a smart approach here would be...

  • Plan on switching from certifi to truststore with a release aimed at 2025-10.
  • At the same time as Python 3.9 becomes EOL.
  • And Python 3.14 is released.

(Alternatively we could be more pushy about this with our userbase. 2025-10 seems like a long time to wait for this.)

@Secrus
Copy link
Contributor

Secrus commented Dec 4, 2024

Maybe it could be done based on python version? certifi for <3.10 and truststore for the rest?

@lovelydinosaur
Copy link
Contributor Author

lovelydinosaur commented Dec 6, 2024

@Secrus - Could phase it in gradually yep. Or eg... support it in Python 3.14.
I really don't have enough context to know how to take a call on this one.

@zanieb
Copy link
Contributor

zanieb commented Dec 6, 2024

I would be uncomfortable dropping support for Python 3.9 before EOL, but it is worth noting there are other ecosystem packages that do this, e.g., numpy has an aggressive Python support schedule and dropped Python 3.9 support earlier this year numpy/numpy#26222

@deathaxe
Copy link

deathaxe commented Jul 6, 2025
edited
Loading

Maybe I am missing something, but according to some experiences made with SSL module of python 3.8 on Windows, ssl.create_default_context() already loads OS level trust stores by calling SSLContext.load_default_certs(), if called without explicit cafile, capath and cadata arguments.

see: https://github.com/python/cpython/blob/39b2f82717a69dde7212bc39b673b0f55c99e6a3/Lib/ssl.py#L750

As of python 3.8 ssl module also performs host name verification by default.

So why struggle with custom cert store libraries?

@jmaillefaud
Copy link

jmaillefaud commented Aug 13, 2025

@deathaxe Behavior of the stdlib ssl module is not consistent across python versions and sources on POSIX systems. For example on ubuntu, installing python through uv will have ssl bundled with webpki-roots and will not load the openssl system certificates by default.

@cclauss
Copy link
Contributor

cclauss commented Sep 2, 2025

I suggest adding Python 3.14 to the test suite as in:

cclauss
cclauss reviewed Sep 5, 2025
View reviewed changes
.github/workflows/test-suite.yml
strategy:
matrix:
python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
python-version: ["3.10", "3.11", "3.12", "3.13"]
Copy link
Contributor

@cclauss cclauss Sep 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
python-version: ["3.10", "3.11", "3.12", "3.13"]
python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]

@glyph glyph mentioned this pull request Nov 4, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@cclauss cclauss cclauss left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@lovelydinosaur @Secrus @zanieb @deathaxe @jmaillefaud @cclauss