[REQ] [Python] Use urllib3 default (system) CA bundle instead of certifi
Created by: rparini
Is your feature request related to a problem? Please describe.
Since version 1.25.3 urllib3 defaults to using the system Certificate Authority (CA) bundle:
1.25.3 (2019-05-23)
However, the Python client currently overrides this default, using a CA bundle from certifi, instead of the system bundle, if the user does not specify configuration.ssl_ca_cert.
Describe the solution you'd like
I propose removing certifi as a dependency, requiring urllib3 >= 1.25.3 and relying on urllib3 to handle the case when no CA bundle is specified by the user.
My main reasoning is that it’s up to urllib3 to handle the ssl verification and it would be a better separation of concerns to simply pass configuration.ssl_ca_cert through to urllib3.PoolManager or urllib3.ProxyManager’s ca_certs argument without additional logic. The generated client should still work "out of the box" for most people now that urllib3 has a default that allows for ssl verification using the system CA store.
My secondary concern is having certifi as a default and required dependency in a project like this that's intended to run in a lot of different environments:
- The Windows system CA store is a registry entry, not a file that can be passed to
ca_certs, so it seems quite difficult to override the certifi default with the Windows CA bundle. However, if the system CA bundle was the default then it would be easy for the user to override it withconfiguration.ssl_ca_cert=certifi.where()if they choose. - In a corporate setting the system CA store may be centrally managed to ensure frequent updates and/or company signed certificates for connecting to company services or proxies. An external bundle like certifi will not include company root certificates and its installation may itself present a security policy violation under these circumstances.
If there’s some general agreement on this I’d be happy to submit a pull request.