From 55fb34146c496e7c997d7418e16dd67a191fca7f Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Thu, 29 Jun 2017 18:44:08 -0500
Subject: try loading trusted certs from a list of fallbacks (#633)

* try loading trusted certs from a list of fallbacks

pyca/cryptography will shortly begin shipping a wheel. Since
SSL_CTX_set_default_verify_paths uses a hardcoded path compiled into the
library, this will start failing to load the proper certificates for
users on many linux distributions. To avoid this we can use the Go
solution of iterating over a list of potential candidates and loading
it when found.

* capath is lazy loaded so we need to do a lot more checks

This now checks to see if env vars are set as well as seeing if the
dir exists and has valid certs in it. If either of those are true (or
the number of certs is > 0) it won't load the fallback. If it does do
the fallback it will also attempt to load certs from a dir as a final
fallback

* remove an early return

* this shouldn't be commented out

* oops

* very limited testing

* sigh, can't use these py3 exceptions of course

* expand the tests a bit

* coverage!

* don't need this now

* change the approach to use a pyca/cryptography guard value

* test fix

* older python sometimes calls itself linux2

* flake8

* add changelog

* coverage

* slash opt
---
 CHANGELOG.rst | 1 +
 1 file changed, 1 insertion(+)

(limited to 'CHANGELOG.rst')

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 871b1d5..86f6466 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -36,6 +36,7 @@ Changes:
 - Added ``OpenSSL.crypto.X509Req.from_cryptography``, ``OpenSSL.crypto.X509Req.to_cryptography``, ``OpenSSL.crypto.CRL.from_cryptography``, and ``OpenSSL.crypto.CRL.to_cryptography`` for converting X.509 CSRs and CRLs to and from pyca/cryptography objects. `#645 <https://github.com/pyca/pyopenssl/pull/645>`_
 - Added ``OpenSSL.debug`` that allows to get an overview of used library versions (including linked OpenSSL) and other useful runtime information using ``python -m OpenSSL.debug``.
   `#620 <https://github.com/pyca/pyopenssl/pull/620>`_
+- Added a fallback path to `Context.set_default_verify_paths` to accommodate the upcoming release of ``cryptography`` ``manylinux1`` wheels. `#633 <https://github.com/pyca/pyopenssl/pull/633>`_
 
 
 ----
-- 
cgit v1.2.1