Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cli: use truststore if available #1045

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

James-E-A
Copy link

The lack of this has been a perennial thorn for people behind corporate TLS MITM ALG proxies; when it's soluble, it's still annoying, and sometimes the proxy applications don't use a stable root bundle, rendering the situation kinda insoluble.

Pip added truststore support back in version 22.2, but Twine still seems to require users to rustle up CA bundles themselves, which can be difficult and is actually infeasible with certain proxy software (e.g. ZScaler) that rotates the roots regularly and distributes new bundles into the system trust stores via a system-level mechanism like Active Directory.

The current draft of the code only applies truststore during CLI dispatch, to avoid interfering with Twine's use as a library, per truststore documentation:

inject_into_ssl() must not be used by libraries or packages as it will cause issues on import time when integrated with other libraries. Libraries and packages should instead use truststore.SSLContext directly which is detailed below. The inject_into_ssl() function is intended only for use in applications and scripts.

The lack of this has been a *perennial* thorn for people behind
corporate TLS MITM ALG proxies; when it's soluble, it's still
annoying, and sometimes the proxy applications don't use a stable
root bundle, rendering the situation kinda insoluble.

- pypa#328
- pypa#387
- pypa#536
- pypa#740
- pypa#741
- pypa#835
- pypa#915
- pypa#1025
@sigmavirus24
Copy link
Member

Do you have any intention of making this ready for review at any point?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants