Drop certifi, use system trust store by default

[Kludex]

Originally opened by @sethmlarson on 2019-09-01 05:47:20 in encode/httpx

This is an issue that many people have been trying to tackle for Python but hasn't been done yet. I think we're in a pretty good position to try to tackle this in a way that cam be available to everyone.

• Linux/OpenSSL should use the default system CA bundle path compiled into OpenSSL.
• Windows should use SChannel which is capable of fetching updated CA certs if they're not in the trust store.
• macOS should use SecureTransport

This should probably be implemented as a separate library, maybe use a stripped-down oscrypto project as a starting point.

Reasons to do this:

• HTTPX will use the same CA certs as the system
• Easier configuration and deployment to corporate settings
• If a system is shipped with outdated OpenSSL (Windows, macOS) we don't care because the system is more likely to be up to date than whatever was shipped with Python.
• Windows and macOS automatically update their certs and CRLs.

[Kludex]

Originally posted by @yeraydiazdiaz on 2020-03-02T13:49:38Z

It's been a while since this was raised has been brought up recently a couple of times, could we go into detail of what's needed here?

For reference oscrypto lists other related libraries, would any of those fit our needs? (I'd look myself but I just don't know enough about the subject 🙂 )

[Kludex]

Originally posted by @florimondmanca on 2020-05-16T20:02:35Z

Hey! So considering the amount of 👍's on this topic I think it would make sense to decide on whether we should keep certifi or use system defaults as part of 1.0 - https://github.com/encode/httpx/issues/947#issuecomment-629698226

I had a striking moment of consciousness about this earlier today:

What if we just used ssl.create_default_context()

From the docs (emphasis mine):

Return a new SSLContext object with default settings for the given purpose. The settings are chosen by the ssl module, and usually represent a higher security level than when calling the SSLContext constructor directly.

cafile, capath, cadata represent optional CA certificates to trust for certificate verification, as in SSLContext.load_verify_locations(). If all three are None, this function can choose to trust the system’s default CA certificates instead.

TL;DR: it looks to me ssl.create_default_context() will* create an ssl_context that uses the system defaults. Is there anything else we need? Might draft a PR for this…

• The usage of "can" in the docs suggests that this might be "may create", but I don't see why it wouldn't be the case. Are there cases when Python wouldn't trust the default system CA?

[Kludex]

Originally posted by @tomchristie on 2020-05-17T09:22:33Z

Not my core expertise, but pretty sure it's not a solved issue.

I sat down with @lukasa last year briefly, and one of the technical issues we talked about was dropping certifi, and the complexities of accessing the system trust store on different O/S's.

I'm sure @sethmlarson has a much better handle on the current state of affairs here. I think either @tiran's or @glyph's name might also have come up in my conversation with Cory, wrt. folks having done some work in this area, but I might be getting that wrong. Kinda a PyCon type thing.

In any case, assuming I have got the landscape correct here, I think "use system trust store by default" sits firmly in the "make this work in an independent, tightly-scoped third party package". If and when such a package exists, then yup we can take a look at using it, otherwise it's in the realm of "this isn't a resolved issue in the Python ecosystem, certifi is the best we can do until then".

[Kludex]

Originally posted by @florimondmanca on 2020-05-17T09:56:35Z

Just found out about this discussion starting back from 2016 in the Requests repo, loads of good background there: psf/requests#2966

[Kludex]

Originally posted by @tiran on 2020-05-17T10:01:21Z

I need to finish my prototype...

[Kludex]

Originally posted by @florimondmanca on 2020-05-17T15:54:46Z

Another data point in favor of us keeping certifi at this time: aiohttp not bundling certs by default seems to have been causing users a lot of pain… https://github.com/aio-libs/aiohttp/issues?q=is%3Aissue+verify+failed+

In a lot of these issues the solutions are often a mix of "disable cert validation" or "use certifi".

Eg aio-libs/aiohttp#955

[Kludex]

Originally posted by @tiran on 2020-05-17T18:41:36Z

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960869 should help to solve a bunch of problems. Fedora / RHEL should have root CA certificates installed. I'll verify UBI mini tomorrow.

[Kludex]

Originally posted by @ofek on 2020-05-31T23:50:32Z

@tiran How far along is that prototype? 😄

[Kludex]

Originally posted by @AstraLuma on 2021-02-04T16:40:35Z

A short-term solution might be to support pulling a CA bundle from environment variables (requests also supports this). This gives a knob for system administrators to make httpx behave.

On the prior art pile, urllib3 supports SecureTransport, but not SChannel.

Since this hasn't been mentioned in the thread, TLS has several knobs with regards to security, the big ones being algorithm selection and server certificate policies. Per the docs:

The settings are: PROTOCOL_TLS, OP_NO_SSLv2, and OP_NO_SSLv3 with high encryption cipher suites without RC4 and without unauthenticated cipher suites. Passing SERVER_AUTH as purpose sets verify_mode to CERT_REQUIRED and either loads CA certificates (when at least one of cafile, capath or cadata is given) or uses SSLContext.load_default_certs() to load default CA certificates.

This is basically drops the horribly insecure options and presents an ok default. (I am not enough of a security expert to say how good these defaults are.) In general, OpenSSL is complex, probably more complex than necessary.

[Kludex]

Originally posted by @AstraLuma on 2021-02-04T16:42:51Z

Also, a moment of silence for PEP 543.

[Kludex]

Originally posted by @stale[bot] on 2022-02-20T15:13:46Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Kludex]

Originally posted by @ofek on 2022-02-20T15:24:38Z

Bump.

[Kludex]

Originally posted by @stale[bot] on 2022-03-25T07:31:01Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Kludex]

Originally posted by @tomchristie on 2022-03-29T10:39:56Z

Linking to Seth's work on this... https://github.com/sethmlarson/truststore

[Kludex]

Originally posted by @dgasmith on 2022-06-07T23:23:29Z

We're hitting this issue as well when using ZTNA, for requests were able to set the REQUESTS_CA_BUNDLE environment variable for requests (source). Happy to make a PR here as well if an environment level is a workable solution.

We can implement at the application level; however, this will lead to inconsistent behavior as the use of HTTPX grows.