summaryrefslogtreecommitdiff
path: root/src/leap/common/certs.py
AgeCommit message (Collapse)Author
2017-07-11[feat] add fallback on trust sources for ssl verificationKali Kaneko
With the merge of platformTrust in twisted, the situation for cert chain verification in linux improved a lot. This patch implements fallbacks to do the following: - Try to use whatever trust sources are found in the system. This means that if ca-certificates is installed, pyopenssl will have a valid set of root certificates and verification will likely work (twisted uses platformTrust for this). - If that fails, try to use certifi. We could/should depend on that from now on, *but* it's not packaged before stretch. - So, I'm not deprecating its usage right now, but this one should be the last cacert.pem bundle that we ship with leap.common. - If the cacert.pem from leap.common fails to be found, well, there's nothing you can do. Your TOFU attempt with a cert coming from the CArtel will fail. Most of this MR should be sent as a patch upstream, see https://twistedmatrix.com/trac/ticket/6934 Also related: https://twistedmatrix.com/trac/ticket/9209 I think proper testing will depend on merging https://github.com/pyca/pyopenssl/pull/473 - Resolves: #8958 - Release: 0.6.0
2015-11-12[style] fix pep8Ruben Pollan
2015-11-11[feature] add variable to skip twisted versionKali Kaneko
2015-07-28[style] more pep8 cleanupKali Kaneko
2015-06-02[bug] Use BrowserLikePolicyForHTTPS for checkingVictor Shyba
While testing the way that its implemented now, I found out that no check is being made on certificate attributes against the host. I found this simple way of creating a BrowserLikePolicyForHTTPS using a self signed cert and it worked on my test. I used test_https from Soledad for checking this (which we are fixing on another branch). Also, we don't want to depend on twisted for other things than leap.common.http.
2015-05-21[bug] get certificate times as UTC, add testsIvan Alejandro
The certificate validity times were converted to local time and later on compared with UTC time, which caused the certificate not being updated at the right times. Add tests to be sure this is not happenning again. Add a joint pem file for the existing cert and key files to ease test. - Resolves: #6994
2013-05-29change docstring comments to use sphinx styleKali Kaneko
2013-03-14initial commitKali Kaneko