[TODO] Use `truststore` in place of `ssl` by default

[webknjaz]

Is your feature request related to a problem?

I mentioned this once or twice in the past. Now, I'm filing a tracking issue with action items.

People often face the problem of TLS certificate verification failing in the Python land while other tools in the same OS/runtime work. This is because Python's stdlib ssl is not set up to consult system trust stores.

The truststore library implements this with its drop-in replacement SSLContext and OS-specific API integrations. pip 24.2+ uses it by default and we should too.

This will improve the UX for our HTTP client. Though, the end-users can still use either stdlib ssl, or truststore-produce when passing an explicit context object.

Describe the solution you'd like

Relying on system-managed TLS trust stores when making HTTPS requests.

Action items:

• locate all places constructing ssl.SSLContext objects (may be created via ssl.create_default_context())
• replace those with truststore.SSLContext
• in runtime, prefer truststore which should be shielded on import with a fallback to just stdlib ssl
• truststore should probably be a mandatory runtime dependency in packaging core metadata; although, maybe we need to follow pip's example and make it optional first (via extras or manual install) and then add it unconditionally later
• document the priority and the compatibility considerations

Describe alternatives you've considered

N/A

Related component

Client

Additional context

• https://truststore.rtfd.io
• https://pypi.org/p/truststore

Code of Conduct

• I agree to follow the aio-libs Code of Conduct

[x612skm]

Apologies I forgot to add a comment here, but I'm working on it. You can assign me this issue, Thanks!

[kalmastenitin]

@x612skm let me know any help required. Thanks!

[webknjaz]

I'm unassigning Soubhik as he probably won't have time in the nearest future. If anybody else wants to take a stab at this — feel free.