Start using truststore for verifying with system CA certificates

[sethmlarson]

What's the problem this feature will solve?

Hello! @davisagli and I created truststore so that Python can verify certificates using native operating system APIs. We figure that with pip's usage behind corporate proxies and custom package indices this functionality would be useful to pip users.

We use OpenSSL for the handshake but then pass the peer certificate chain to OS cert verification APIs like Security framework on macOS and CryptoAPI on Windows. The peer certificate chain is grabbed from experimental APIs in the ssl module but after speaking to @tiran the APIs will be in their same state in Python 3.11.

Describe the solution you'd like

The library currently only supports Python 3.10+ so would need to be optional for now, perhaps behind a --use-feature flag? The library also supports loading additional CA certificates into the SSLContext. To ensure that no certificate chains that previously verified using only certifi would stop verifying (although I believe this situation would be rare) the SSLContext could be loaded with certifi certs in addition to using the system store, if desired.

Alternative Solutions

N/A

Additional context

N/A

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[pradyunsg]

How close is this request to #11038? It might make sense to consolidate the discussion and mention this there. :)

[pradyunsg]

Bah, we don't have a potential-duplicate label. :)

[sethmlarson]

Totally down to close this as a duplicate, I can bring the discussion to that issue. Thanks!