Skip to content

TLS trust_system_ca_certs=False still loads system trust roots #73

Description

@dkropachev

Problem

TLS.trust_system_ca_certs=False is intended to disable system CA trust when callers provide a custom CA bundle. However, alternator.core.tls.create_ssl_context() unconditionally starts with ssl.create_default_context(), which loads default system trust roots before trust_system_ca_certs is inspected.

The later branch only sets verify_mode = ssl.CERT_REQUIRED; it does not remove the already-loaded system CAs.

Evidence

Relevant code:

  • alternator/core/tls.py: create_ssl_context() calls ssl.create_default_context() unconditionally.
  • The comment says: "If not using system CA and custom certs provided, don't load system certs", but the implementation has already loaded them.
  • tests/unit/test_tls.py::test_no_system_ca_with_custom_certs only checks verify_mode, so it misses trust-store contents.

Expected behavior

When trust_system_ca_certs=False, the SSL context should not load default system CA certificates. It should only trust explicitly configured custom CAs, unless trust_all_certificates=True is set.

Test coverage needed

Mock or inspect SSL context construction to verify that default trust locations are not loaded when trust_system_ca_certs=False, and that custom CA paths are still loaded.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions