From aceff1bf17afe60378ff5ad7335573da7ba9ddde Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Fri, 14 Jul 2017 14:34:29 +0200 Subject: [refactor] remove heuristic to check for usable platformRoot the rationale here is that, in debian, certifi will always return a working platform trust, since the package points to the system certificates. in osx and windows, certifi will load an usable trustRoot that is kept up to date. another detail we didn't like about the heuristic is that the bundled certificate for testing will eventually expire, so that introduces the duty of keeping it up-to-date. --- src/leap/common/http.py | 33 +-------------------------------- 1 file changed, 1 insertion(+), 32 deletions(-) (limited to 'src/leap/common/http.py') diff --git a/src/leap/common/http.py b/src/leap/common/http.py index f6a7f7e..d223f2e 100644 --- a/src/leap/common/http.py +++ b/src/leap/common/http.py @@ -95,33 +95,6 @@ def certsFromBundle(path, x509=False): return certs -def hasUsablePlatformTrust(): - - _knownchain = certsFromBundle(ca_bundle.where('EFFchain.pem'), x509=True) - _knowncert = _knownchain[0] - _knowninterm = _knownchain[1:] - - def _verify_test_cert(store, cert): - store_ctx = X509StoreContext(store, cert) - try: - assert store_ctx.verify_certificate() is None - except (X509StoreContextError, AssertionError): - return False - else: - return True - - def _add_intermediates(store, intermediates): - for _cert in intermediates: - store.add_cert(_cert) - - ctx = Context(TLSv1_METHOD) - ctx.set_default_verify_paths() - store = ctx.get_cert_store() - _add_intermediates(store, _knowninterm) - - return _verify_test_cert(store, _knowncert) - - def getCertifiTrustRoot(): try: import certifi @@ -254,11 +227,7 @@ class HTTPClient(object): self._pool = pool if pool is not None else self._pool if cert_path is None: - if hasUsablePlatformTrust(): - # Twisted Knows What To Do - trustRoot = None - else: - trustRoot = getCertifiTrustRoot() + trustRoot = getCertifiTrustRoot() else: trustRoot = cert_path -- cgit v1.2.3