2.1.1 (2026-06-07)

Fixed

• Guarded MacOS truststore access in process forks. Apple document as unsafe accessing some CoreFoundation/Security in forks.
  Previously could lead to a crash (SIGABRT or SIGSEGV). Now automatically falling back to CCADB bundle if in such condition.
• Windows only materializes trusted roots on demand, so the enumerated OS store could be incomplete and
  cause unable to get local issuer certificate failures. Now extended with the embedded CCADB roots that the Windows AuthRoot
  CTL trusts for server authentication, even when not yet downloaded locally. (#52)

2.1.0 (2026-05-10)

Added

• set_cache_ttl top level function to set, in seconds, how long the CA bundle will be valid for until re-polling from the OS.
• Parameter hybrid_store boolean to force concatenate your OS CA bundle with the embedded CCADB bundle. E.g. wassima.generate_ca_bundle(hybrid_store=True).

Fixed

• Very old Linux with a stale CA bundle will now automatically be extended with the CCADB embedded bundle (no updates for at least 3 years).
• The cache being too aggressive, never invalidating itself, thus need a proper restart or manual lru_cache invalidation.
  Now the CA bundle output will expire after 12 hours to let updates propagate correctly from the OS.
• Ensured no duplicate CA appears in the final list.

Changed

• CCADB embedded bundle is updated to latest version.

2.0.6 (2026-04-07)

Fixed

• MacOS truststore implementation. A few tiny memory leaks and missing "trust" inspection when explicitly marked (i.e. CA) as "deny".

Changed

• CCADB embedded bundle is updated to latest version.

2.0.5 (2026-02-07)

Fixed

• Unreasonable deep scan under FreeBSD causing a significant lag while loading trusted CAs. (jawah/niquests#332)

Changed

• CCADB embedded bundle is updated to latest version. (#41)

2.0.4 (2026-01-13)

Fixed

• Rare unhandled PermissionError in Linux while in autodiscover of trusted CAs.

2.0.3 (2025-12-16)

Changed

• CCADB embedded bundle is updated to latest version. (#35)

2.0.2 (2025-10-05)

Changed

• CCADB embedded bundle is updated to latest version. (#27)

2.0.1 (2025-08-11)

Changed

• CCADB embedded bundle is updated to latest version. Include a new CA. (#23)

2.0.0 (2025-06-22)

Removed

• Constant RUSTLS_LOADED.
• Native Rust extension in favor of a pure Python solution.
• Optional dependency on Certifi.
• Running python -m wassima to debug platform support.

Added

• Integrated CA bundle to fallback on when no "official" trust store can be loaded.
  A single module shipped along with that library is now a derivative work of CCADB work
  licensed under Community Data License Agreement - Permissive - Version 2.0. It is not
  like copyleft MPL, therefor is compatible with our main MIT license.

Changed

• Top level functions like generate_ca_bundle now integrate intermediate CA on Windows and MacOS.
  You are responsible for trusting the bundle knowing that fact. It will no longer contain only trust anchors.
  On Python defaults, OpenSSL will rebuild the chain and ensure the trust anchors (e.g. root CA/self-signed) is
  there and valid. Passing VERIFY_PARTIAL_CHAIN will short circuit that insurance. (#16)

1.2.2 (2025-03-07)

Added

• Support for PyPy 3.11

Changed

• pyo3 updated from 0.23.4 to 0.23.5