Problem
TLS.trust_system_ca_certs=False is intended to disable system CA trust when callers provide a custom CA bundle. However, alternator.core.tls.create_ssl_context() unconditionally starts with ssl.create_default_context(), which loads default system trust roots before trust_system_ca_certs is inspected.
The later branch only sets verify_mode = ssl.CERT_REQUIRED; it does not remove the already-loaded system CAs.
Evidence
Relevant code:
alternator/core/tls.py: create_ssl_context() calls ssl.create_default_context() unconditionally.
- The comment says: "If not using system CA and custom certs provided, don't load system certs", but the implementation has already loaded them.
tests/unit/test_tls.py::test_no_system_ca_with_custom_certs only checks verify_mode, so it misses trust-store contents.
Expected behavior
When trust_system_ca_certs=False, the SSL context should not load default system CA certificates. It should only trust explicitly configured custom CAs, unless trust_all_certificates=True is set.
Test coverage needed
Mock or inspect SSL context construction to verify that default trust locations are not loaded when trust_system_ca_certs=False, and that custom CA paths are still loaded.
Problem
TLS.trust_system_ca_certs=Falseis intended to disable system CA trust when callers provide a custom CA bundle. However,alternator.core.tls.create_ssl_context()unconditionally starts withssl.create_default_context(), which loads default system trust roots beforetrust_system_ca_certsis inspected.The later branch only sets
verify_mode = ssl.CERT_REQUIRED; it does not remove the already-loaded system CAs.Evidence
Relevant code:
alternator/core/tls.py:create_ssl_context()callsssl.create_default_context()unconditionally.tests/unit/test_tls.py::test_no_system_ca_with_custom_certsonly checksverify_mode, so it misses trust-store contents.Expected behavior
When
trust_system_ca_certs=False, the SSL context should not load default system CA certificates. It should only trust explicitly configured custom CAs, unlesstrust_all_certificates=Trueis set.Test coverage needed
Mock or inspect SSL context construction to verify that default trust locations are not loaded when
trust_system_ca_certs=False, and that custom CA paths are still loaded.