diff --git a/docs/user/advanced.rst b/docs/user/advanced.rst index 5c9df948..175fc9b7 100644 --- a/docs/user/advanced.rst +++ b/docs/user/advanced.rst @@ -228,6 +228,28 @@ If you specify a wrong path or an invalid cert:: >>> requests.get('https://kennethreitz.com', cert='/wrong_path/server.pem') SSLError: [Errno 336265225] _ssl.c:347: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib +.. _ca-certificates: + +CA Certificates +--------------- + +By default Requests bundles a set of root CAs that it trusts, sourced from the +`Mozilla trust store`_. However, these are only updated once for each Requests +version. This means that if you pin a Requests version your certificates can +become extremely out of date. + +From Requests version 2.4.0 onwards, Requests will attempt to use certificates +from `certifi`_ if it is present on the system. This allows for users to update +their trusted certificates without having to change the code that runs on their +system. + +For the sake of security we recommend upgrading certifi frequently! + +.. _HTTP persistent connection: https://en.wikipedia.org/wiki/HTTP_persistent_connection +.. _connection pooling: https://urllib3.readthedocs.org/en/latest/pools.html +.. _certifi: http://certifi.io/ +.. _Mozilla trust store: https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt + .. _body-content-workflow: Body Content Workflow @@ -853,25 +875,3 @@ coffee. r = requests.get('https://github.com', timeout=None) .. _`connect()`: http://linux.die.net/man/2/connect - -.. _ca-certificates: - -CA Certificates ---------------- - -By default Requests bundles a set of root CAs that it trusts, sourced from the -`Mozilla trust store`_. However, these are only updated once for each Requests -version. This means that if you pin a Requests version your certificates can -become extremely out of date. - -From Requests version 2.4.0 onwards, Requests will attempt to use certificates -from `certifi`_ if it is present on the system. This allows for users to update -their trusted certificates without having to change the code that runs on their -system. - -For the sake of security we recommend upgrading certifi frequently! - -.. _HTTP persistent connection: https://en.wikipedia.org/wiki/HTTP_persistent_connection -.. _connection pooling: https://urllib3.readthedocs.org/en/latest/pools.html -.. _certifi: http://certifi.io/ -.. _Mozilla trust store: https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt