Skip to content

Cache truststore SSLContext as load_verify_locations() is slow#13199

Merged
ichard26 merged 1 commit intopypa:mainfrom
ichard26:cache-truststore-context
Feb 21, 2025
Merged

Cache truststore SSLContext as load_verify_locations() is slow#13199
ichard26 merged 1 commit intopypa:mainfrom
ichard26:cache-truststore-context

Conversation

@ichard26
Copy link
Member

@ichard26 ichard26 commented Feb 2, 2025

SSLContext can be reused across connections as per the Python docs:

SSLContext is designed to be shared and used by multiple connections. Thus, it is thread-safe as long as it is not reconfigured after being used by a connection.

In addition, requests has been using a global SSLContext and the sky hasn't fallen on them so I'm going to say this is pretty safe.

See also python/cpython#95031.

@ichard26
Cache truststore SSLContext as load_verify_locations() is slow
f7e8009 
SSLContext can be reused across connections as per the Python docs:

> SSLContext is designed to be shared and used by multiple connections.
> Thus, it is thread-safe as long as it is not reconfigured after being
> used by a connection.

In addition, requests has been using a global SSLContext and the world
hasn't blown up so I'm going to say this is pretty safe.
@ichard26 ichard26 added skip news Does not need a NEWS file entry (eg: trivial changes) type: performance Commands take too long to run labels Feb 2, 2025
@ichard26
Copy link
Member Author

ichard26 commented Feb 2, 2025

I didn't include a news entry as the benefit is not significant, but when you combine all of the verify location/path loads in a typical run, they consume ~75 ms (~15ms/load) on my system. This eliminates one load from the self-check session, and sethmlarson/truststore#171 will eliminate one load from truststore's intialization. I may include a news entry for the optimization work in general once it's done.

@ichard26
Copy link
Member Author

ichard26 commented Feb 21, 2025

The CPython documentation, requests's experience using a global SSLContext1, and Seth (from the linked truststore PR) all agree this should be fine. I'll merge this now.

Footnotes

  1. The fact that requests itself relies on a global SSLContext implies that requests is not reconfiguring the context as warned against in the Python documentation. We don't do anything special with the context within pip, so we are fine.

@ichard26 ichard26 merged commit 76895a0 into pypa:main Feb 21, 2025
31 checks passed
@ichard26 ichard26 deleted the cache-truststore-context branch February 21, 2025 23:22
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 9, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

skip news Does not need a NEWS file entry (eg: trivial changes) type: performance Commands take too long to run

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ichard26

Comments