Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use the system trust store for HTTPS requests #1512

Merged
merged 1 commit into from Feb 16, 2024
Merged

Use the system trust store for HTTPS requests #1512

merged 1 commit into from Feb 16, 2024

Conversation

zanieb
Copy link
Member

@zanieb zanieb commented Feb 16, 2024
edited

Closes #1474

Using the rustls-tls-native-roots feature

rustls-tls: Enables TLS functionality provided by rustls. Equivalent to rustls-tls-webpki-roots.

rustls-tls-webpki-roots: Enables TLS functionality provided by rustls, while using root certificates from the webpki-roots crate.

rustls-tls-native-roots: Enables TLS functionality provided by rustls, while using root certificates from the rustls-native-certs crate.

Additional context:

Prior discussion at #609

@zanieb zanieb added enhancement New feature or request registry Related to package indexes and registries labels Feb 16, 2024
@zanieb zanieb marked this pull request as ready for review February 16, 2024 16:52
@zanieb
Copy link
Member Author

zanieb commented Feb 16, 2024

The major downsides are:

  • The OS update system may, in fact, be quite poor at keeping the root certificates up-to-date if it is disabled or out-of-support.
  • The quality of the ca-certificates package on debian-based Linux distributions is poor. At the time of writing, this ships many certificates not included in the Mozilla set, either because they failed an audit and were withdrawn or were removed for mississuance.

BurntSushi
BurntSushi approved these changes Feb 16, 2024
View reviewed changes
Copy link
Member

@BurntSushi BurntSushi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems okay to me. In particular, it seems like this is the recommended approach from rustls.

@BurntSushi BurntSushi merged commit 9737b93 into main Feb 16, 2024
7 checks passed
@BurntSushi BurntSushi deleted the zb/certs branch February 16, 2024 19:07
@notatallshaw
Copy link

FYI, Pip is moving to this model via truststore: https://pip.pypa.io/en/stable/topics/https-certificates/

My experience is it is massively helpful in large organization environments.

@branchvincent branchvincent mentioned this pull request Feb 17, 2024
Merged
@zanieb zanieb mentioned this pull request Feb 19, 2024
Open
@killjoy1221 killjoy1221 mentioned this pull request Feb 19, 2024
Open
@zanieb zanieb mentioned this pull request Feb 22, 2024
Merged
charliermarsh pushed a commit that referenced this pull request Feb 23, 2024
@zanieb
Use rustls-tls-native-roots in uv crate (#1888)
1103298 
I'm confused that we have this separate specification of `reqwests`? I'm
not sure this has any effect, but it seems like it should be done for
correctness.

Follows #1512
@carlosjourdan
Copy link

carlosjourdan commented Feb 27, 2024
edited

Corporate network with ssl inspection firewall, custom ca on every site. Root certificate is trusted by windows, and environment variables REQUESTS_CA_BUNDLE and SSL_CERT_FILE are setup. Python requests work fine. Pip install as well. uv fails with error below.

error: error sending request for url (https://pypi.org/simple/zeep/): error trying to connect: invalid peer certificate: UnknownIssuer
  Caused by: error trying to connect: invalid peer certificate: UnknownIssuer
  Caused by: invalid peer certificate: UnknownIssuer

@zanieb
Copy link
Member Author

zanieb commented Feb 27, 2024

Hi @carlosjourdan would you mind opening a new issue?

@carlosjourdan
Copy link

Just did

@carlosjourdan carlosjourdan mentioned this pull request Feb 27, 2024
Closed
@zanieb zanieb mentioned this pull request Mar 7, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BurntSushi BurntSushi BurntSushi approved these changes

@charliermarsh charliermarsh Awaiting requested review from charliermarsh

Assignees
No one assigned
Labels
enhancement New feature or request registry Related to package indexes and registries
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

How to run uv behind a corporate proxy?
4 participants
@zanieb @notatallshaw @carlosjourdan @BurntSushi