From 07df10c11fa092af4abfe09dbc7584fc22e614a6 Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Tue, 11 Jul 2017 15:55:13 +0200 Subject: [feat] add fallback on trust sources for ssl verification With the merge of platformTrust in twisted, the situation for cert chain verification in linux improved a lot. This patch implements fallbacks to do the following: - Try to use whatever trust sources are found in the system. This means that if ca-certificates is installed, pyopenssl will have a valid set of root certificates and verification will likely work (twisted uses platformTrust for this). - If that fails, try to use certifi. We could/should depend on that from now on, *but* it's not packaged before stretch. - So, I'm not deprecating its usage right now, but this one should be the last cacert.pem bundle that we ship with leap.common. - If the cacert.pem from leap.common fails to be found, well, there's nothing you can do. Your TOFU attempt with a cert coming from the CArtel will fail. Most of this MR should be sent as a patch upstream, see https://twistedmatrix.com/trac/ticket/6934 Also related: https://twistedmatrix.com/trac/ticket/9209 I think proper testing will depend on merging https://github.com/pyca/pyopenssl/pull/473 - Resolves: #8958 - Release: 0.6.0 --- src/leap/common/ca_bundle.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/leap/common/ca_bundle.py') diff --git a/src/leap/common/ca_bundle.py b/src/leap/common/ca_bundle.py index e2a624d..66fc778 100644 --- a/src/leap/common/ca_bundle.py +++ b/src/leap/common/ca_bundle.py @@ -30,7 +30,7 @@ _system = platform.system() IS_MAC = _system == "Darwin" -def where(): +def where(name='cacert.pem'): """ Return the preferred certificate bundle. :rtype: str @@ -39,7 +39,7 @@ def where(): # we are running in a |PyInstaller| bundle path = sys._MEIPASS return os.path.join(path, 'cacert.pem') - return os.path.join(os.path.dirname(__file__), 'cacert.pem') + return os.path.join(os.path.dirname(__file__), name) if __name__ == '__main__': print(where()) -- cgit v1.2.3