diff options
author | Kali Kaneko <kali@leap.se> | 2017-07-11 15:55:13 +0200 |
---|---|---|
committer | Kali Kaneko <kali@leap.se> | 2017-07-11 15:59:32 +0200 |
commit | 07df10c11fa092af4abfe09dbc7584fc22e614a6 (patch) | |
tree | f0fe746838efbb05f32ad16964fbec9a22f4a0c8 /src/leap/common/certs.py | |
parent | aac425fba2fc1f3674f9fac969fbfa086318c5ec (diff) |
[feat] add fallback on trust sources for ssl verification
With the merge of platformTrust in twisted, the situation for cert chain
verification in linux improved a lot.
This patch implements fallbacks to do the following:
- Try to use whatever trust sources are found in the system. This means
that if ca-certificates is installed, pyopenssl will have a valid set of
root certificates and verification will likely work (twisted uses
platformTrust for this).
- If that fails, try to use certifi. We could/should depend on that from
now on, *but* it's not packaged before stretch.
- So, I'm not deprecating its usage right now, but this one should be
the last cacert.pem bundle that we ship with leap.common.
- If the cacert.pem from leap.common fails to be found, well, there's
nothing you can do. Your TOFU attempt with a cert coming from the
CArtel will fail.
Most of this MR should be sent as a patch upstream, see https://twistedmatrix.com/trac/ticket/6934
Also related: https://twistedmatrix.com/trac/ticket/9209
I think proper testing will depend on merging https://github.com/pyca/pyopenssl/pull/473
- Resolves: #8958
- Release: 0.6.0
Diffstat (limited to 'src/leap/common/certs.py')
-rw-r--r-- | src/leap/common/certs.py | 35 |
1 files changed, 0 insertions, 35 deletions
diff --git a/src/leap/common/certs.py b/src/leap/common/certs.py index 95704a6..db513f6 100644 --- a/src/leap/common/certs.py +++ b/src/leap/common/certs.py @@ -30,8 +30,6 @@ from leap.common.check import leap_assert logger = logging.getLogger(__name__) -SKIP_SSL_CHECK = os.environ.get('SKIP_TWISTED_SSL_CHECK', False) - def get_cert_from_string(string): """ @@ -180,36 +178,3 @@ def should_redownload(certfile, now=time.gmtime): return True return False - - -def get_compatible_ssl_context_factory(cert_path=None): - import twisted - from twisted.internet import ssl - cert = None - - if SKIP_SSL_CHECK: - # This should be used *only* for testing purposes. - - class WebClientContextFactory(ssl.ClientContextFactory): - """ - A web context factory which ignores the hostname and port and does - no certificate verification. - """ - def getContext(self, hostname, port): - return ssl.ClientContextFactory.getContext(self) - - contextFactory = WebClientContextFactory() - return contextFactory - - if twisted.version.base() > '14.0.1': - from twisted.web.client import BrowserLikePolicyForHTTPS - if cert_path: - cert = ssl.Certificate.loadPEM(open(cert_path).read()) - policy = BrowserLikePolicyForHTTPS(cert) - return policy - else: - raise Exception((""" - Twisted 14.0.2 is needed in order to have secure - Client Web SSL Contexts, not %s - See: http://twistedmatrix.com/trac/ticket/7647 - """) % (twisted.version.base())) |