Truststore

Verify certificates using OS trust stores. Supports macOS, Windows, and Linux (with OpenSSL).

Warning

This project should be considered experimental so shouldn’t be used in production.

Platforms

• Requires Python 3.10 or later

• Supports macOS 10.8+ via Security framework

• Supports Windows via CryptoAPI

• Supports Linux via OpenSSL

Usage

The truststore module has a single API: truststore.SSLContext

   import truststore

   ctx = truststore.SSLContext()

This SSLContext works the same as an ssl.SSLContext. You can use it anywhere you would use an ssl.SSLContext and system trust stores are automatically used to verify peer certificates:

   import urllib3

   http = urllib3.PoolManager(ssl_context=ctx)
   http.request("GET", "https://example.com")

Supports wrapping socket.socket and ssl.MemoryBIO so works with both synchronous and asynchronous I/O:

   import aiohttp

   http = aiohttp.ClientSession(ssl=ctx)
   await http.request("GET", "https://example.com")

Prior art

• The future of trust stores in Python (PyCon US 2022 lightning talk) (slides)

• Experimental APIs in Python 3.10 and the future of trust stores

• PEP 543: A Unified TLS API for Python

License

MIT