The future of trust stores in Python 

Seth M. Larson / @sethmlarson David Glick / @davisagli 

👋 Show of hands, have you seen this error? [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate ● No root certificate found to verify the cert chain ● Commonly caused by corporate proxies. 

What is a trust store? ● Collection of certificates your system uses during TLS handshakes ● Usually a file or directory of certs in Python ● Python’s ssl APIs are tied strongly to OpenSSL 

Trust stores in Python today ● Linux distros ship trust stores to work with OpenSSL ● macOS and Windows don’t do this ● Python uses OpenSSL on macOS and Windows… Problem! What should OpenSSL use? 

Trust stores in Python today ● Linux distros ship trust stores to work with OpenSSL ● macOS and Windows don’t do this ● Python uses OpenSSL on macOS and Windows… Problem! What should OpenSSL use? ● Certifi: Mozilla’s CA bundle repackaged to PyPI 

Problems with OpenSSL+certifi ● Certifi certs only, not following central system policy ● One trust store per application, tough to maintain ● Certificates in trust store are static, no auto updates ● PyPI is now a CA certificate distribution channel 

Why system trust stores are better ● One trust store per system, not per application ● System manages and updates certificates ● Fancy features ✨ ○ Handling revoked certs ○ Intermediate fetching 

System trust stores in Python New experimental package: “truststore” https://pypi.org/project/truststore https://github.com/sethmlarson/truststore ● Provides an SSLContext API ● Works on Linux, macOS, and Windows ● Tested with urllib3, requests, aiohttp ● Requires Python 3.10+ 

What happens now? ● Check out the project but don’t deploy to prod ● Add functionality to Python ● Eventual adoption by libraries and tools ○ Pip / Requests