The future of trust stores in Python

Transcript

1. The future of trust stores in Python

2. Seth M. Larson / @sethmlarson David Glick / @davisagli

3. 👋 Show of hands, have you seen this error? [SSL:

   CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate • No root certificate found to verify the cert chain • Commonly caused by corporate proxies.

4. What is a trust store? • Collection of certificates your

   system uses during TLS handshakes • Usually a file or directory of certs in Python • Python’s ssl APIs are tied strongly to OpenSSL

5. Trust stores in Python today • Linux distros ship trust

   stores to work with OpenSSL • macOS and Windows don’t do this • Python uses OpenSSL on macOS and Windows… Problem! What should OpenSSL use?

6. Trust stores in Python today • Linux distros ship trust

   stores to work with OpenSSL • macOS and Windows don’t do this • Python uses OpenSSL on macOS and Windows… Problem! What should OpenSSL use? • Certifi: Mozilla’s CA bundle repackaged to PyPI

7. Problems with OpenSSL+certifi • Certifi certs only, not following central

   system policy • One trust store per application, tough to maintain • Certificates in trust store are static, no auto updates • PyPI is now a CA certificate distribution channel

8. Why system trust stores are better • One trust store

   per system, not per application • System manages and updates certificates • Fancy features ✨ ◦ Handling revoked certs ◦ Intermediate fetching

9. System trust stores in Python New experimental package: “truststore” https://pypi.org/project/truststore

   https://github.com/sethmlarson/truststore • Provides an SSLContext API • Works on Linux, macOS, and Windows • Tested with urllib3, requests, aiohttp • Requires Python 3.10+

10. What happens now? • Check out the project but don’t

    deploy to prod • Add functionality to Python • Eventual adoption by libraries and tools ◦ Pip / Requests