diff options
author | Kali Kaneko <kali@leap.se> | 2017-07-11 15:55:13 +0200 |
---|---|---|
committer | Kali Kaneko <kali@leap.se> | 2017-07-11 15:59:32 +0200 |
commit | 07df10c11fa092af4abfe09dbc7584fc22e614a6 (patch) | |
tree | f0fe746838efbb05f32ad16964fbec9a22f4a0c8 /debian | |
parent | aac425fba2fc1f3674f9fac969fbfa086318c5ec (diff) |
[feat] add fallback on trust sources for ssl verification
With the merge of platformTrust in twisted, the situation for cert chain
verification in linux improved a lot.
This patch implements fallbacks to do the following:
- Try to use whatever trust sources are found in the system. This means
that if ca-certificates is installed, pyopenssl will have a valid set of
root certificates and verification will likely work (twisted uses
platformTrust for this).
- If that fails, try to use certifi. We could/should depend on that from
now on, *but* it's not packaged before stretch.
- So, I'm not deprecating its usage right now, but this one should be
the last cacert.pem bundle that we ship with leap.common.
- If the cacert.pem from leap.common fails to be found, well, there's
nothing you can do. Your TOFU attempt with a cert coming from the
CArtel will fail.
Most of this MR should be sent as a patch upstream, see https://twistedmatrix.com/trac/ticket/6934
Also related: https://twistedmatrix.com/trac/ticket/9209
I think proper testing will depend on merging https://github.com/pyca/pyopenssl/pull/473
- Resolves: #8958
- Release: 0.6.0
Diffstat (limited to 'debian')
0 files changed, 0 insertions, 0 deletions