Skip to content

Cache truststore SSLContext as load_verify_locations() is slow #13199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 21, 2025
Merged

Cache truststore SSLContext as load_verify_locations() is slow #13199

merged 1 commit into from
Feb 21, 2025

Conversation

ichard26
Copy link
Member

@ichard26 ichard26 commented Feb 2, 2025

SSLContext can be reused across connections as per the Python docs:

SSLContext is designed to be shared and used by multiple connections. Thus, it is thread-safe as long as it is not reconfigured after being used by a connection.

In addition, requests has been using a global SSLContext and the sky hasn't fallen on them so I'm going to say this is pretty safe.

See also python/cpython#95031.

@ichard26
Cache truststore SSLContext as load_verify_locations() is slow
f7e8009 
SSLContext can be reused across connections as per the Python docs:

> SSLContext is designed to be shared and used by multiple connections.
> Thus, it is thread-safe as long as it is not reconfigured after being
> used by a connection.

In addition, requests has been using a global SSLContext and the world
hasn't blown up so I'm going to say this is pretty safe.
@ichard26 ichard26 added skip news Does not need a NEWS file entry (eg: trivial changes) type: performance Commands take too long to run labels Feb 2, 2025
@ichard26
Copy link
Member Author

ichard26 commented Feb 2, 2025

I didn't include a news entry as the benefit is not significant, but when you combine all of the verify location/path loads in a typical run, they consume ~75 ms (~15ms/load) on my system. This eliminates one load from the self-check session, and sethmlarson/truststore#171 will eliminate one load from truststore's intialization. I may include a news entry for the optimization work in general once it's done.

@ichard26
Copy link
Member Author

The CPython documentation, requests's experience using a global SSLContext1, and Seth (from the linked truststore PR) all agree this should be fine. I'll merge this now.

Footnotes

  1. The fact that requests itself relies on a global SSLContext implies that requests is not reconfiguring the context as warned against in the Python documentation. We don't do anything special with the context within pip, so we are fine.

@ichard26 ichard26 merged commit 76895a0 into pypa:main Feb 21, 2025
31 checks passed
@ichard26 ichard26 deleted the cache-truststore-context branch February 21, 2025 23:22
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 9, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
skip news Does not need a NEWS file entry (eg: trivial changes) type: performance Commands take too long to run
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ichard26