Skip to content

Comments

Add support for SSL_CERT_DIR#16473

Merged
zanieb merged 2 commits intoastral-sh:mainfrom
samypr100:ssl-cert-dir
Nov 16, 2025
Merged

Add support for SSL_CERT_DIR#16473
zanieb merged 2 commits intoastral-sh:mainfrom
samypr100:ssl-cert-dir

Conversation

@samypr100
Copy link
Collaborator

@samypr100 samypr100 commented Oct 27, 2025
edited
Loading

Summary

Closes #16414

Adds support for the standard SSL_CERT_DIR which has gained recent proper support from rustls-native-certs in v0.8.2.

In addition, this PR clarifies documentation around SSL_CERT_FILE and SSL_CERT_DIR when used in combination with UV_NATIVE_TLS as mentioned in #16412 (comment)

Test Plan

Manually tested with custom cert chains in multiple directories and loading them via SSL_CERT_DIR. We didn't have tests for SSL_CERT_FILE or SSL_CERT_DIR environment variables so I added a basic one using our own test-only certificate generation and dummy https server. I also moved some things around for better reuse.

@samypr100
Copy link
Collaborator Author

samypr100 commented Oct 27, 2025

Please ignore the docker failures as its due to my depot OIDC configuration.

@samypr100 samypr100 marked this pull request as ready for review October 27, 2025 17:04
@samypr100 samypr100 mentioned this pull request Oct 29, 2025
Open
samypr100
samypr100 commented Oct 29, 2025
View reviewed changes
samypr100
samypr100 commented Oct 29, 2025
View reviewed changes
samypr100
samypr100 commented Oct 29, 2025
View reviewed changes
samypr100
samypr100 commented Oct 29, 2025
View reviewed changes
@samypr100 samypr100 force-pushed the ssl-cert-dir branch 5 times, most recently from 23b0c80 to 0a1ccef Compare October 30, 2025 18:07
samypr100
samypr100 commented Oct 30, 2025
View reviewed changes
@samypr100 samypr100 requested a review from konstin October 30, 2025 18:13
@samypr100 samypr100 added the enhancement New feature or improvement to existing functionality label Oct 31, 2025
@samypr100 samypr100 force-pushed the ssl-cert-dir branch 4 times, most recently from da9adb1 to 8acabca Compare November 2, 2025 17:30
@samypr100 samypr100 mentioned this pull request Nov 3, 2025
Open
@samypr100 samypr100 force-pushed the ssl-cert-dir branch 4 times, most recently from 9ced871 to 5d19d0b Compare November 10, 2025 05:46
@codspeed-hq
Copy link

codspeed-hq bot commented Nov 10, 2025
edited
Loading

CodSpeed Performance Report

Merging #16473 will not alter performance

Comparing samypr100:ssl-cert-dir (013385f) with main (aec4254)

Summary

✅ 6 untouched

zanieb
zanieb reviewed Nov 11, 2025
View reviewed changes
zanieb
zanieb reviewed Nov 11, 2025
View reviewed changes
zanieb
zanieb reviewed Nov 11, 2025
View reviewed changes
zanieb
zanieb reviewed Nov 11, 2025
View reviewed changes
zanieb
zanieb reviewed Nov 11, 2025
View reviewed changes
@samypr100 samypr100 force-pushed the ssl-cert-dir branch 2 times, most recently from 96c6e9f to 6f9065b Compare November 11, 2025 21:21
konstin
konstin reviewed Nov 12, 2025
View reviewed changes
zanieb
zanieb reviewed Nov 12, 2025
View reviewed changes
zanieb
zanieb reviewed Nov 12, 2025
View reviewed changes
This was referenced Nov 12, 2025
Open
Closed
@zanieb zanieb merged commit bf99f0a into astral-sh:main Nov 16, 2025
161 checks passed
@samypr100 samypr100 deleted the ssl-cert-dir branch November 16, 2025 18:01
@BrewTestBot BrewTestBot mentioned this pull request Nov 17, 2025
Merged
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Nov 18, 2025
@tmeijn
build(deps): update astral-sh/uv to v0.9.10
be90fa5 
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.9.9` -> `0.9.10` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>astral-sh/uv (astral-sh/uv)</summary>

### [`v0.9.10`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#0910)

[Compare Source](astral-sh/uv@0.9.9...0.9.10)

Released on 2025-11-17.

##### Enhancements

- Add support for `SSL_CERT_DIR` ([#&#8203;16473](astral-sh/uv#16473))
- Enforce UTF‑8-encoded license files during `uv build` ([#&#8203;16699](astral-sh/uv#16699))
- Error when a `project.license-files` glob matches nothing ([#&#8203;16697](astral-sh/uv#16697))
- `pip install --target` (and `sync`) install Python if necessary ([#&#8203;16694](astral-sh/uv#16694))
- Account for `python_downloads_json_url` in pre-release Python version warnings ([#&#8203;16737](astral-sh/uv#16737))
- Support HTTP/HTTPS URLs in `uv python --python-downloads-json-url` ([#&#8203;16542](astral-sh/uv#16542))

##### Preview features

- Add support for `--upgrade` in `uv python install` ([#&#8203;16676](astral-sh/uv#16676))
- Fix handling of `python install --default` for pre-release Python versions ([#&#8203;16706](astral-sh/uv#16706))
- Add `uv workspace list` to list workspace members ([#&#8203;16691](astral-sh/uv#16691))

##### Bug fixes

- Don't check file URLs for ambiguously parsed credentials ([#&#8203;16759](astral-sh/uv#16759))

##### Documentation

- Add a "storage" reference document ([#&#8203;15954](astral-sh/uv#15954))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
@michael-o
Copy link

michael-o commented Nov 18, 2025

This really looks like openssl-probe reinvented. It does already the env var magic. I am confused why uv has to reproduce it?! uv does use openssl-probe.

@samypr100
Copy link
Collaborator Author

samypr100 commented Nov 19, 2025
edited
Loading

This really looks like openssl-probe reinvented. It does already the env var magic. I am confused why uv has to reproduce it?! uv does use openssl-probe.

I'm don't think this is correct as stated as uv does not use openssl-probe by default. It's opt-in when the --native-tls is passed and SSL_CERT_DIR or SSL_CERT_FILE are not set. We delegate to rustls-native-certs and primarily proxy the supported environment variables to provide a better user experience when common user errors are present in the values of these.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zanieb zanieb zanieb approved these changes

@konstin konstin konstin left review comments

Assignees

No one assigned

Labels

enhancement New feature or improvement to existing functionality

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for SSL_CERT_DIR

4 participants

@samypr100 @michael-o @zanieb @konstin