|
the rationale here is that, in debian, certifi will always return a
working platform trust, since the package points to the system
certificates. in osx and windows, certifi will load an usable trustRoot
that is kept up to date.
another detail we didn't like about the heuristic is that the bundled
certificate for testing will eventually expire, so that introduces the
duty of keeping it up-to-date.
|
|
With the merge of platformTrust in twisted, the situation for cert chain
verification in linux improved a lot.
This patch implements fallbacks to do the following:
- Try to use whatever trust sources are found in the system. This means
that if ca-certificates is installed, pyopenssl will have a valid set of
root certificates and verification will likely work (twisted uses
platformTrust for this).
- If that fails, try to use certifi. We could/should depend on that from
now on, *but* it's not packaged before stretch.
- So, I'm not deprecating its usage right now, but this one should be
the last cacert.pem bundle that we ship with leap.common.
- If the cacert.pem from leap.common fails to be found, well, there's
nothing you can do. Your TOFU attempt with a cert coming from the
CArtel will fail.
Most of this MR should be sent as a patch upstream, see https://twistedmatrix.com/trac/ticket/6934
Also related: https://twistedmatrix.com/trac/ticket/9209
I think proper testing will depend on merging https://github.com/pyca/pyopenssl/pull/473
- Resolves: #8958
- Release: 0.6.0
|