Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The future of trust stores in Python

The future of trust stores in Python

Lightning talk for PyCon US 2022 by Seth Larson and David Glick

Seth Michael Larson

May 04, 2022
Tweet

More Decks by Seth Michael Larson

Other Decks in Programming

Transcript

  1. 👋 Show of hands, have you seen this error? [SSL:

    CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate • No root certificate found to verify the cert chain • Commonly caused by corporate proxies.
  2. What is a trust store? • Collection of certificates your

    system uses during TLS handshakes • Usually a file or directory of certs in Python • Python’s ssl APIs are tied strongly to OpenSSL
  3. Trust stores in Python today • Linux distros ship trust

    stores to work with OpenSSL • macOS and Windows don’t do this • Python uses OpenSSL on macOS and Windows… Problem! What should OpenSSL use?
  4. Trust stores in Python today • Linux distros ship trust

    stores to work with OpenSSL • macOS and Windows don’t do this • Python uses OpenSSL on macOS and Windows… Problem! What should OpenSSL use? • Certifi: Mozilla’s CA bundle repackaged to PyPI
  5. Problems with OpenSSL+certifi • Certifi certs only, not following central

    system policy • One trust store per application, tough to maintain • Certificates in trust store are static, no auto updates • PyPI is now a CA certificate distribution channel
  6. Why system trust stores are better • One trust store

    per system, not per application • System manages and updates certificates • Fancy features ✨ ◦ Handling revoked certs ◦ Intermediate fetching
  7. System trust stores in Python New experimental package: “truststore” https://pypi.org/project/truststore

    https://github.com/sethmlarson/truststore • Provides an SSLContext API • Works on Linux, macOS, and Windows • Tested with urllib3, requests, aiohttp • Requires Python 3.10+
  8. What happens now? • Check out the project but don’t

    deploy to prod • Add functionality to Python • Eventual adoption by libraries and tools ◦ Pip / Requests