Use certifi to get SSL root certificates

9 months ago · 7f595b089b
parent a76d7576c6
commit 7f595b089b
4 changed files with 11 additions and 42 deletions
--- a/gns3server/controller/appliance_manager.py
+++ b/gns3server/controller/appliance_manager.py
@ -34,7 +34,6 @@ except ImportError:
 from .appliance import Appliance
 from ..config import Config
 from ..utils.asyncio import locking
-from ..utils.cacert import get_cacert

 import logging
 log = logging.getLogger(__name__)
@ -49,11 +48,11 @@ class ApplianceManager:

        self._appliances = {}
        self._appliances_etag = None
-        self._sslcontext = None
+        self._ssl_context = None
        if hasattr(sys, "frozen"):
            cacert = certifi.where()
-            self._sslcontext = ssl.create_default_context(cafile=cacert)
-            log.info("Use CA certificate '{}' for SSL connections".format(cacert))
+            self._ssl_context = ssl.create_default_context(cafile=cacert)
+            log.info("Using certificate authority (CA) bundle: {}".format(cacert))

    @property
    def appliances_etag(self):
@ -182,7 +181,7 @@ class ApplianceManager:

        symbol_url = "https://raw.githubusercontent.com/GNS3/gns3-registry/master/symbols/{}".format(symbol)
        async with aiohttp.ClientSession() as session:
-            async with session.get(symbol_url, ssl=self._sslcontext) as response:
+            async with session.get(symbol_url, ssl=self._ssl_context) as response:
                if response.status != 200:
                    log.warning("Could not retrieve appliance symbol {} from GitHub due to HTTP error code {}".format(symbol, response.status))
                else:
@ -210,7 +209,7 @@ class ApplianceManager:
            async with aiohttp.ClientSession() as session:
                async with session.get(
                        'https://api.github.com/repos/GNS3/gns3-registry/contents/appliances',
-                        ssl=self._sslcontext,
+                        ssl=self._ssl_context,
                        headers=headers
                ) as response:
                    if response.status == 304:
--- a/gns3server/crash_report.py
+++ b/gns3server/crash_report.py
@ -29,10 +29,10 @@ import struct
 import platform
 import locale
 import distro
+import certifi

 from .version import __version__, __version_info__
 from .config import Config
-from .utils.cacert import get_cacert

 import logging
 log = logging.getLogger(__name__)
@ -73,11 +73,14 @@ class CrashReport:
        if SENTRY_SDK_AVAILABLE:
            # Don't send log records as events.
            sentry_logging = LoggingIntegration(level=logging.INFO, event_level=None)
+            cacert = None
+            if hasattr(sys, "frozen"):
+                cacert = certifi.where()

            try:
                sentry_sdk.init(dsn=CrashReport.DSN,
                                release=__version__,
-                                ca_certs=get_cacert(),
+                                ca_certs=cacert,
                                default_integrations=False,
                                integrations=[sentry_logging])
            except Exception as e:
--- a/gns3server/utils/cacert.py
+++ b/gns3server/utils/cacert.py
@ -1,34 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-# Copyright (C) 2023 GNS3 Technologies Inc.
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import os
-import sys
-
-from .get_resource import get_resource
-
-import logging
-log = logging.getLogger(__name__)
-
-
-def get_cacert():
-    if hasattr(sys, "frozen"):
-        cacert_resource = get_resource("cacert.pem")
-        if cacert_resource is not None and os.path.isfile(cacert_resource):
-            return cacert_resource
-        else:
-            log.error("The SSL certificate bundle file '{}' could not be found".format(cacert_resource))
-    return None  # this means we use the system's CA bundle
--- a/requirements.txt
+++ b/requirements.txt
@ -1,3 +1,4 @@
+certifi>=2023.7.22
 jsonschema>=4.17.3,<4.18; python_version >= '3.7'
 jsonschema==3.2.0; python_version < '3.7'  # v3.2.0 is the last version to support Python 3.6
 aiohttp>=3.8.4,<3.9