Question: would a patch deferring the creation of the pre-loaded SSLContext be accepted for faster startup?

[ichard26]

Hi,

So I'm investigating ways to improve pip's startup time. Obviously importing a HTTP library like requests is going to be slow regardless of we do, but the deferring the SSLContext pre-loading until use is something would benefit pip.

requests/src/requests/adapters.py

Lines 77 to 87 in fe0583b

	try:
	import ssl # noqa: F401
	_preloaded_ssl_context = create_urllib3_context()
	_preloaded_ssl_context.load_verify_locations(
	extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
	)
	except ImportError:
	# Bypass default SSLContext creation when Python
	# interpreter isn't built with the ssl module.
	_preloaded_ssl_context = None

pip manages its own SSLContext so it can use truststore for automatic system CA support, thus we never use _preloaded_ssl_context on Python 3.10 or higher¹. Unfortunately, OpenSSL 3.x has terrible verify path/location performance: python/cpython#95031 so the unnecessary load_verify_locations() call ends up eating ~15 ms on my system.

So, would a patch deferring the context creation until use be accepted? I realize this is of limited benefit for most users since they probably aren't passing their own SSLContext, so if this is too niche, I understand!

Footnotes

1. Truststore requires Python 3.10 or higher. Also, pip's truststore integration can be disabled via --use-deprecated=legacy-certs but as the flag name implies, we don't really want people to be using this until necessary. ↩

[ichard26]

Ah, there is already an issue and PR for this. Funnily enough, I 👍 the issue, but I totally forgot about it. Sorry!

• Do not load ssl context during import #6791
• Import time regression #6790