From 07df10c11fa092af4abfe09dbc7584fc22e614a6 Mon Sep 17 00:00:00 2001
From: Kali Kaneko <kali@leap.se>
Date: Tue, 11 Jul 2017 15:55:13 +0200
Subject: [feat] add fallback on trust sources for ssl verification

With the merge of platformTrust in twisted, the situation for cert chain
verification in linux improved a lot.

This patch implements fallbacks to do the following:

- Try to use whatever trust sources are found in the system. This means
that if ca-certificates is installed, pyopenssl will have a valid set of
root certificates and verification will likely work (twisted uses
platformTrust for this).

- If that fails, try to use certifi. We could/should depend on that from
now on, *but* it's not packaged before stretch.

- So, I'm not deprecating its usage right now, but this one should be
the last cacert.pem bundle that we ship with leap.common.

- If the cacert.pem from leap.common fails to be found, well, there's
nothing you can do. Your TOFU attempt with a cert coming from the
CArtel will fail.

Most of this MR should be sent as a patch upstream, see https://twistedmatrix.com/trac/ticket/6934
Also related: https://twistedmatrix.com/trac/ticket/9209

I think proper testing will depend on merging https://github.com/pyca/pyopenssl/pull/473

- Resolves: #8958
- Release: 0.6.0
---
 src/leap/common/certs.py | 35 -----------------------------------
 1 file changed, 35 deletions(-)

(limited to 'src/leap/common/certs.py')

diff --git a/src/leap/common/certs.py b/src/leap/common/certs.py
index 95704a6..db513f6 100644
--- a/src/leap/common/certs.py
+++ b/src/leap/common/certs.py
@@ -30,8 +30,6 @@ from leap.common.check import leap_assert
 
 logger = logging.getLogger(__name__)
 
-SKIP_SSL_CHECK = os.environ.get('SKIP_TWISTED_SSL_CHECK', False)
-
 
 def get_cert_from_string(string):
     """
@@ -180,36 +178,3 @@ def should_redownload(certfile, now=time.gmtime):
         return True
 
     return False
-
-
-def get_compatible_ssl_context_factory(cert_path=None):
-    import twisted
-    from twisted.internet import ssl
-    cert = None
-
-    if SKIP_SSL_CHECK:
-        # This should be used *only* for testing purposes.
-
-        class WebClientContextFactory(ssl.ClientContextFactory):
-            """
-            A web context factory which ignores the hostname and port and does
-            no certificate verification.
-            """
-            def getContext(self, hostname, port):
-                return ssl.ClientContextFactory.getContext(self)
-
-        contextFactory = WebClientContextFactory()
-        return contextFactory
-
-    if twisted.version.base() > '14.0.1':
-        from twisted.web.client import BrowserLikePolicyForHTTPS
-        if cert_path:
-            cert = ssl.Certificate.loadPEM(open(cert_path).read())
-        policy = BrowserLikePolicyForHTTPS(cert)
-        return policy
-    else:
-        raise Exception(("""
-            Twisted 14.0.2 is needed in order to have secure
-            Client Web SSL Contexts, not %s
-            See: http://twistedmatrix.com/trac/ticket/7647
-            """) % (twisted.version.base()))
-- 
cgit v1.2.3