Override SSLContext._load_windows_store_certs with a no-op

[davisagli]

SSLContext has a _load_windows_store_certs method which is called by SSLContext.load_default_certs to load CA certs on Windows. We could replace it with a method that does nothing to avoid unnecessary work.

[sethmlarson]

Since the long term goal is to integrate this functionality into CPython's SSLContext I was thinking changing load_default_certs to basically have a flag that says "we want system certs" and if set we use the certificate verification implemented in truststore otherwise we use the normal SSLContext flow. This is compatible with the "use system certificates and these additional certificates" flow too.

What are your thoughts on this?

[davisagli]

At a high level that makes sense. We'll need to think carefully about how to name it to avoid confusion. Because load_default_certs is kind of already a way to say "we want system certs," except that of course it doesn't work on Mac and it doesn't switch away from using OpenSSL as the way to verify the certs that have been loaded. I don't have a specific proposal yet but it seems like we want something that's more about what system to use for verification, rather than "where the CA certs come from" (though that's probably the mental model that most users have about what needs to be fixed).