Try to guess CA bundle path

Signed-off-by: Maxime “pep” Buquet <pep@bouah.net>
2021-12-28 18:29:58 +01:00 · 2021-12-28 18:29:58 +01:00 · 7e8fa46402
commit 7e8fa46402
parent 842d71abf9
3 changed files with 21 additions and 4 deletions
--- a/data/default_config.cfg
+++ b/data/default_config.cfg
@ -79,12 +79,14 @@ certificate =
 # value to the services default.
 #whitespace_interval = 300

-# Path to the certificate authenticating the Authority
+# Path to the certificate authenticating the Authority.
 # A server may have several certificates, but if it uses a CA, it will often
 # keep the same for obvious reasons, so this is a good option if your server
 # does this, rather than skipping all verifications.
 # This is not affected by ignore_certificate
-ca_cert_path =
+# Poezio attempts to guess this value automatically. Set to override this
+# behaviour, to the empty string for example, or to another path.
+#ca_cert_path =

 # Auto-reconnects you when you get disconnected from the server
 #auto_reconnect = true
--- a/poezio/config.py
+++ b/poezio/config.py
@ -30,6 +30,17 @@ ConfigDict = Dict[str, Dict[str, ConfigValue]]

 DEFSECTION = "Poezio"

+
+CA_CERT_DEFAULT_PATHS = {
+    '/etc/ssl/cert.pem',
+    '/etc/ssl/certs/ca-certificates.crt',
+    '/etc/ssl/certs/ca-bundle.crt',
+    '/etc/pki/tls/certs/ca-bundle.crt',
+    '/etc/ssl/certs/ca-certificates.crt',
+    '/etc/ca-certificates/extracted/tls-ca-bundle.pem',
+    '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
+}
+
 DEFAULT_CONFIG: ConfigDict = {
    'Poezio': {
        'ack_message_receipts': True,
@ -40,7 +51,7 @@ DEFAULT_CONFIG: ConfigDict = {
        'autorejoin_delay': '5',
        'autorejoin': False,
        'beep_on': 'highlight private invite disconnect',
-        'ca_cert_path': '',
+        'ca_cert_path': ':'.join(CA_CERT_DEFAULT_PATHS),
        'certificate': '',
        'certfile': '',
        'ciphers': 'HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL',
--- a/poezio/connection.py
+++ b/poezio/connection.py
@ -16,6 +16,7 @@ import subprocess
 import sys
 import base64
 import random
+from pathlib import Path

 import slixmpp
 from slixmpp import JID, InvalidJID
@ -117,7 +118,10 @@ class Connection(slixmpp.ClientXMPP):
        self.ciphers = config.getstr(
            'ciphers', 'HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK'
            ':!SRP:!3DES:!aNULL')
-        self.ca_certs = config.getstr('ca_cert_path') or None
+        self.ca_certs = None
+        ca_certs = config.getlist('ca_cert_path')
+        if ca_certs and ca_certs != ['']:
+            self.ca_certs = list(map(Path, config.getlist('ca_cert_path')))
        interval = config.getint('whitespace_interval')
        if int(interval) > 0:
            self.whitespace_keepalive_interval = int(interval)