// Parse arguments BEFORE acquiring locks to reduce lock scope

let cafile_path = if let OptionalArg::Present(Some(ref cafile_obj)) = args.cafile {

Some(Self::parse_path_arg(cafile_obj, vm)?)

} else {

None

};

let capath_dir = if let OptionalArg::Present(Some(ref capath_obj)) = args.capath {

Some(Self::parse_path_arg(capath_obj, vm)?)

} else {

None

};

let cadata_parsed = if let OptionalArg::Present(ref cadata_obj) = args.cadata

&& !vm.is_none(cadata_obj)

{

let is_string = PyStrRef::try_from_object(vm, cadata_obj.clone()).is_ok();

let data_vec = self.parse_cadata_arg(cadata_obj, vm)?;

Some((data_vec, is_string))

} else {

None

};

// Check for CRL before acquiring main locks

let (crl_opt, cafile_is_crl) = if let Some(ref path) = cafile_path {

let crl = self.load_crl_from_file(path, vm)?;

let is_crl = crl.is_some();

(crl, is_crl)

} else {

(None, false)

};

// If it's a CRL, just add it (separate lock, no conflict with root_store)

if let Some(crl) = crl_opt {

self.crls.write().push(crl);

}

// Now acquire write locks for certificate loading

// Load from file (if not CRL)

if let Some(ref path) = cafile_path {

if !cafile_is_crl {

path,

if let Some(ref dir_path) = capath_dir {

let stats = self.load_certs_from_dir_helper(&mut root_store, dir_path, vm)?;

if let Some((ref data_vec, is_string)) = cadata_parsed {

data_vec,

// Extract capath_certs, releasing context lock quickly

let capath_certs = {

let context = self.context.read();

let certs = context.capath_certs_der.read();

if certs.is_empty() {

return Ok(());

}

certs.clone()

};

// Extract peer certificates, releasing connection lock quickly

let top_cert_der = {

let conn_guard = self.connection.lock();

let conn = conn_guard.as_ref().ok_or("No connection")?;

let peer_certs = conn.peer_certificates().ok_or("No peer certificates")?;

if peer_certs.is_empty() {

return Ok(());

}

peer_certs

.iter()

.map(|c| c.as_ref().to_vec())

.last()

.expect("is_empty checked above")

};

let (_, top_cert) = x509_parser::parse_x509_certificate(&top_cert_der)

// Find matching CA in capath certs (skip unparseable certificates)

let matching_ca = capath_certs.iter().find_map(|ca_der| {

let (_, ca) = x509_parser::parse_x509_certificate(ca_der).ok()?;

// Check if this CA is self-signed (root CA) and matches the issuer

(ca.subject() == ca.issuer() && ca.subject() == top_issuer).then(|| ca_der.clone())

});

// Update ca_certs_der if we found a match

if let Some(ca_der) = matching_ca {

let context = self.context.read();

let mut ca_certs_der = context.ca_certs_der.write();

if !ca_certs_der.iter().any(|c| c == &ca_der) {

ca_certs_der.push(ca_der);

// Nested read locks are safe

// Clone the Arc option to avoid nested lock (sni_state.read -> arc.lock)

let sni_state_opt = self.sni_state.read().clone();

sni_state_opt.as_ref().and_then(|arc| arc.lock().1.clone())

// Extract DER bytes from connection, releasing lock quickly

let der_bytes = {

let conn_guard = self.connection.lock();

let conn = conn_guard

.as_ref()

.ok_or_else(|| vm.new_value_error("No TLS connection established"))?;

let Some(peer_certificates) = conn.peer_certificates() else {

return Ok(None);

};

let cert = peer_certificates

.first()

.ok_or_else(|| vm.new_value_error("No peer certificate available"))?;

cert.as_ref().to_vec()

// Parse DER certificate and convert to dict (outside lock)

let (_, cert) = x509_parser::parse_x509_certificate(&der_bytes)

// Extract cipher suite, releasing lock quickly

let suite = {

let conn_guard = self.connection.lock();

conn_guard.as_ref()?.negotiated_cipher_suite()?

};

// Extract cipher information outside the lock

// Extract cipher suite, releasing lock quickly

let suite = {

let conn_guard = self.connection.lock();

conn_guard.as_ref()?.negotiated_cipher_suite()?

};

// Convert to string outside the lock