[feat] add fallback on trust sources for ssl verification

With the merge of platformTrust in twisted, the situation for cert chain
verification in linux improved a lot.

This patch implements fallbacks to do the following:

- Try to use whatever trust sources are found in the system. This means
that if ca-certificates is installed, pyopenssl will have a valid set of
root certificates and verification will likely work (twisted uses
platformTrust for this).

- If that fails, try to use certifi. We could/should depend on that from
now on, *but* it's not packaged before stretch.

- So, I'm not deprecating its usage right now, but this one should be
the last cacert.pem bundle that we ship with leap.common.

- If the cacert.pem from leap.common fails to be found, well, there's
nothing you can do. Your TOFU attempt with a cert coming from the
CArtel will fail.

Most of this MR should be sent as a patch upstream, see https://twistedmatrix.com/trac/ticket/6934
Also related: https://twistedmatrix.com/trac/ticket/9209

I think proper testing will depend on merging https://github.com/pyca/pyopenssl/pull/473

- Resolves: #8958
- Release: 0.6.0

1 files changed, 2 insertions, 2 deletions

diff --git a/src/leap/common/ca_bundle.py b/src/leap/common/ca_bundle.py
index e2a624d..66fc778 100644
--- a/src/leap/common/ca_bundle.py
+++ b/src/leap/common/ca_bundle.py
@@ -30,7 +30,7 @@ _system = platform.system()
 IS_MAC = _system == "Darwin"
 
 
-def where():
+def where(name='cacert.pem'):
     """
     Return the preferred certificate bundle.
     :rtype: str
@@ -39,7 +39,7 @@ def where():
         # we are running in a |PyInstaller| bundle
         path = sys._MEIPASS
         return os.path.join(path, 'cacert.pem')
-    return os.path.join(os.path.dirname(__file__), 'cacert.pem')
+    return os.path.join(os.path.dirname(__file__), name)
 
 if __name__ == '__main__':
     print(where())