Windows SChannel TLS/mTLS provider for requests and websockets — smartcard and PKI authentication via native Windows APIs

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for ruckc from gravatar.com ruckc

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Tags mtls , pki , requests , schannel , smartcard , sspi , tls , websockets , windows
  • Requires: Python >=3.12
  • Provides-Extra: all , dev , lint , requests , sspilib , test , websockets
Classifiers
Report project as malware

Project description

requests-schannel

License: MIT Python 3.12+ OS: Windows

Windows SChannel TLS/mTLS provider for requests and websockets — smartcard and PKI authentication via native Windows APIs.

requests-schannel replaces OpenSSL with the built-in Windows SChannel SSPI provider, enabling:

  • Smartcard / PIV authentication — use certificates on hardware tokens without exporting private keys
  • Windows certificate store integration — select client certificates by thumbprint, subject, or let Windows auto-select
  • Native trust store — server verification uses the Windows trust store (no CA bundle files)
  • TLS 1.2 / 1.3 with ALPN negotiation
  • Zero native dependencies — pure-Python ctypes backend included; optional sspilib backend for enhanced performance

Table of Contents

Installation

pip install requests-schannel

With optional dependencies:

# requests integration
pip install requests-schannel[requests]

# websockets integration
pip install requests-schannel[websockets]

# sspilib backend (recommended for production)
pip install requests-schannel[sspilib]

# Everything
pip install requests-schannel[all]

Note: This library requires Windows and Python 3.12+.

Quick Start

import requests
from requests_schannel import SchannelAdapter

session = requests.Session()
session.mount("https://", SchannelAdapter())

resp = session.get("https://example.com")
print(resp.status_code)

Usage

requests Integration

Drop-in Adapter

Mount SchannelAdapter onto a requests.Session to route all HTTPS traffic through SChannel:

import requests
from requests_schannel import SchannelAdapter

session = requests.Session()
session.mount("https://", SchannelAdapter())

resp = session.get("https://www.howsmyssl.com/a/check")
print(resp.json()["tls_version"])

Convenience Session Factory

create_session() returns a pre-configured session with the adapter already mounted:

from requests_schannel import create_session

session = create_session()
resp = session.get("https://example.com")

WebSocket Integration

Connect to WebSocket servers over TLS using SChannel:

import asyncio
from requests_schannel.ws import schannel_connect

async def main():
    async with schannel_connect("wss://echo.websocket.org") as ws:
        await ws.send("hello")
        response = await ws.recv()
        print(response)

asyncio.run(main())

Low-Level Socket API

Use SchannelContext and SchannelSocket directly for custom TLS connections:

import socket
from requests_schannel import SchannelContext

ctx = SchannelContext()
ctx.set_alpn_protocols(["http/1.1"])

raw_sock = socket.create_connection(("example.com", 443))
tls_sock = ctx.wrap_socket(raw_sock, server_hostname="example.com")

tls_sock.send(b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n")
print(tls_sock.recv(4096))
tls_sock.close()

Async Socket API

For asyncio applications that need TLS without requests or websockets:

import asyncio
from requests_schannel import SchannelContext, AsyncSchannelSocket

async def main():
    ctx = SchannelContext()
    sock = await AsyncSchannelSocket.connect("example.com", 443, ctx)

    await sock.send(b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n")
    data = await sock.recv(4096)
    print(data)
    await sock.close()

asyncio.run(main())

Client Certificate (mTLS)

Select a client certificate from the Windows certificate store for mutual TLS authentication.

By Thumbprint

from requests_schannel import SchannelAdapter, create_session

# Using the adapter directly
adapter = SchannelAdapter(client_cert_thumbprint="AB12CD34EF56...")
session = requests.Session()
session.mount("https://", adapter)

# Or using the convenience factory
session = create_session(client_cert_thumbprint="AB12CD34EF56...")

By Subject Name

session = create_session(client_cert_subject="CN=myuser")

Auto-Select

Let Windows choose a suitable client certificate (may display a UI prompt):

session = create_session(auto_select_client_cert=True)

Custom Certificate Store

By default, certificates are loaded from the "MY" (Personal) store. Specify a different store:

session = create_session(
    client_cert_thumbprint="AB12CD34EF56...",
    cert_store_name="MY",  # "MY", "Root", "CA", etc.
)

WebSocket mTLS

async with schannel_connect(
    "wss://secure.example.com/ws",
    client_cert_thumbprint="AB12CD34EF56...",
) as ws:
    await ws.send("authenticated!")

Backends

requests-schannel provides two backends for interacting with the Windows SChannel API:

Backend Description Install
ctypes Pure-Python ctypes calls to secur32.dll / crypt32.dll. Zero dependencies. Ships with the package. Built-in
sspilib Uses the sspilib package for SSPI operations. Recommended for production. pip install requests-schannel[sspilib]

The backend is auto-selected (sspilib if available, otherwise ctypes). To force a specific backend:

from requests_schannel import SchannelAdapter, SchannelContext

# Via adapter
adapter = SchannelAdapter(backend="ctypes")

# Via context
ctx = SchannelContext(backend="sspilib")

API Reference

SchannelAdapter

requests.adapters.HTTPAdapter subclass for SChannel TLS.

SchannelAdapter(
    client_cert_thumbprint: str | None = None,
    client_cert_subject: str | None = None,
    auto_select_client_cert: bool = False,
    cert_store_name: str = "MY",
    alpn_protocols: list[str] | None = None,
    backend: str | None = None,
    schannel_context: SchannelContext | None = None,
    **kwargs,  # passed to HTTPAdapter
)

Properties:

  • schannel_context — the underlying SchannelContext instance

create_session()

Convenience factory that returns a requests.Session with SchannelAdapter mounted on https://.

create_session(
    client_cert_thumbprint: str | None = None,
    client_cert_subject: str | None = None,
    auto_select_client_cert: bool = False,
    cert_store_name: str = "MY",
    alpn_protocols: list[str] | None = None,
    backend: str | None = None,
    **kwargs,
) -> requests.Session

SchannelContext

ssl.SSLContext-compatible object backed by Windows SChannel. Thread-safe — the credential handle is shared; each wrap_socket() creates a new per-connection security context.

SchannelContext(backend: str | SchannelBackend | None = None)

Properties:

  • client_cert_thumbprint — SHA-1 thumbprint for mTLS client cert selection
  • client_cert_subject — subject name substring for client cert selection
  • auto_select_client_cert — let Windows auto-select a client cert
  • cert_store_name — Windows certificate store name (default "MY")
  • minimum_version / maximum_versionTlsVersion.TLSv1_2 or TlsVersion.TLSv1_3
  • verify_modessl.CERT_REQUIRED (default) or ssl.CERT_NONE
  • check_hostname — enable/disable hostname verification

Methods:

  • set_alpn_protocols(protocols: list[str]) — set ALPN protocol list (e.g. ["h2", "http/1.1"])
  • wrap_socket(sock, server_hostname=..., do_handshake_on_connect=True) -> SchannelSocket
  • load_cert_chain(), load_verify_locations(), set_ciphers() — no-ops for ssl.SSLContext compatibility

SchannelSocket

TLS-wrapped socket with an ssl.SSLSocket-compatible interface.

Methods:

  • do_handshake() — perform the TLS handshake
  • send(data: bytes) -> int / write(data: bytes) -> int
  • recv(bufsize: int) -> bytes / read(nbytes: int) -> bytes
  • recv_into(buffer, nbytes) -> int
  • getpeercert(binary_form=False) — get peer certificate
  • selected_alpn_protocol() -> str | None
  • version() -> str | None — negotiated TLS version
  • close() — send close_notify and close the connection
  • makefile(mode, buffering) — create a file-like wrapper (for urllib3 compatibility)

AsyncSchannelSocket

Async wrapper around SchannelSocket for asyncio.

# Connect and handshake
sock = await AsyncSchannelSocket.connect(host, port, context)

# Wrap existing socket
sock = await AsyncSchannelSocket.wrap(raw_sock, context, server_hostname)

# I/O
await sock.send(data)
data = await sock.recv(4096)
await sock.close()

schannel_connect()

Async context manager for WebSocket connections over SChannel TLS.

async with schannel_connect(
    uri: str,
    *,
    context: SchannelContext | None = None,
    client_cert_thumbprint: str | None = None,
    client_cert_subject: str | None = None,
    auto_select_client_cert: bool = False,
    cert_store_name: str = "MY",
    backend: str | None = None,
    timeout: float | None = 30.0,
    additional_headers: dict[str, str] | None = None,
    **ws_kwargs,
) as ws:
    ...

Data Classes

  • TlsVersion — enum: TLSv1_2, TLSv1_3
  • CertInfo — certificate metadata: thumbprint, subject, issuer, friendly_name, not_before, not_after, has_private_key, serial_number, der_encoded
  • ConnectionInfo — TLS connection details: protocol_version, cipher_algorithm, cipher_strength, hash_algorithm, hash_strength, exchange_algorithm, exchange_strength
  • StreamSizes — SChannel buffer sizes: header, trailer, max_message, buffers, block_size

Configuration

TLS Version

from requests_schannel import SchannelContext, TlsVersion

ctx = SchannelContext()
ctx.minimum_version = TlsVersion.TLSv1_2  # default
ctx.maximum_version = TlsVersion.TLSv1_3  # default

ALPN Protocols

ctx = SchannelContext()
ctx.set_alpn_protocols(["h2", "http/1.1"])

Disable Server Verification

Warning: Only use this for testing/development.

import ssl
ctx = SchannelContext()
ctx.verify_mode = ssl.CERT_NONE
ctx.check_hostname = False

Error Handling

All exceptions inherit from SchannelError:

Exception Description
SchannelError Base exception for all SChannel errors
HandshakeError TLS handshake failed
CertificateError Base for certificate-related errors
CertificateNotFoundError Certificate not found in the Windows store
CertificateExpiredError Certificate has expired
CertificateUntrustedError Certificate chain is not trusted
CertificateVerificationError Server certificate verification failed
CredentialError Failed to acquire SSPI credentials
DecryptionError Failed to decrypt incoming TLS data
EncryptionError Failed to encrypt outgoing TLS data
BackendError Backend (sspilib or ctypes) is unavailable
ContextExpiredError Security context has expired
RenegotiationError TLS renegotiation failed 
from requests_schannel._errors import SchannelError, CertificateNotFoundError

try:
    session = create_session(client_cert_thumbprint="INVALID...")
    session.get("https://secure.example.com")
except CertificateNotFoundError:
    print("Certificate not found in store")
except SchannelError as e:
    print(f"SChannel error: {e}")

Testing

# Install dev dependencies
pip install -e ".[test]"

# Run unit tests
pytest tests/unit/

# Run integration tests (requires Windows with network access)
pytest tests/integration/

# Run all tests with coverage
pytest --cov=requests_schannel --cov-report=term-missing

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for ruckc from gravatar.com ruckc

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Tags mtls , pki , requests , schannel , smartcard , sspi , tls , websockets , windows
  • Requires: Python >=3.12
  • Provides-Extra: all , dev , lint , requests , sspilib , test , websockets
Classifiers

Release history Release notifications | RSS feed

0.2.0

0.1.4

0.1.3

This version

0.1.2

0.1.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

requests_schannel-0.1.2.tar.gz (95.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

requests_schannel-0.1.2-py3-none-any.whl (32.1 kB view details)

Uploaded Python 3

File details

Details for the file requests_schannel-0.1.2.tar.gz.

File metadata

  • Download URL: requests_schannel-0.1.2.tar.gz
  • Upload date:
  • Size: 95.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for requests_schannel-0.1.2.tar.gz
Algorithm Hash digest
SHA256 84d1133998abdbe4df21121c0f858e33cac8407429d43dfccc976e691a235868
MD5 0413e9f2f7eb7b4069a90bd57d3179d1
BLAKE2b-256 0e7f62d49db727cf152cea7ba75892c4b73fde1e008053ab2109bf3b927100dc

See more details on using hashes here.

Provenance

The following attestation bundles were made for requests_schannel-0.1.2.tar.gz:

Publisher: publish.yml on ruckc/requests-schannel

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file requests_schannel-0.1.2-py3-none-any.whl.

File metadata

File hashes

Hashes for requests_schannel-0.1.2-py3-none-any.whl
Algorithm Hash digest
SHA256 dc919ae0a163333cf2057a59a7876494f3a5080d0e7842d1f075521695f681ff
MD5 242f43f068aaa0ba7dcfe6a822f9f71f
BLAKE2b-256 805b12f3a546ef8a762cdf192635892291c68b8ab90d68feffa9bd7c5f578739

See more details on using hashes here.

Provenance

The following attestation bundles were made for requests_schannel-0.1.2-py3-none-any.whl:

Publisher: publish.yml on ruckc/requests-schannel

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page