Use truststore

gns3server/controller/appliance_manager.py

@@ -16,14 +16,12 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
-import sys
 import json
 import uuid
 import asyncio
 import aiohttp
 import shutil
-import ssl
-import certifi
+
 
 try:
     import importlib_resources
@@ -48,11 +46,6 @@ def __init__(self):
 
         self._appliances = {}
         self._appliances_etag = None
-        self._ssl_context = None
-        if hasattr(sys, "frozen"):
-            cacert = certifi.where()
-            self._ssl_context = ssl.create_default_context(cafile=cacert)
-            log.info("Using certificate authority (CA) bundle: {}".format(cacert))
 
     @property
     def appliances_etag(self):
@@ -181,7 +174,7 @@ async def _download_symbol(self, symbol, destination_path):
 
         symbol_url = "https://raw.githubusercontent.com/GNS3/gns3-registry/master/symbols/{}".format(symbol)
         async with aiohttp.ClientSession() as session:
-            async with session.get(symbol_url, ssl=self._ssl_context) as response:
+            async with session.get(symbol_url) as response:
                 if response.status != 200:
                     log.warning("Could not retrieve appliance symbol {} from GitHub due to HTTP error code {}".format(symbol, response.status))
                 else:
@@ -209,7 +202,6 @@ async def download_appliances(self):
             async with aiohttp.ClientSession() as session:
                 async with session.get(
                         'https://api.github.com/repos/GNS3/gns3-registry/contents/appliances',
-                        ssl=self._ssl_context,
                         headers=headers
                 ) as response:
                     if response.status == 304:

gns3server/crash_report.py

@@ -29,7 +29,6 @@
 import platform
 import locale
 import distro
-import certifi
 
 from .version import __version__, __version_info__
 from .config import Config
@@ -73,14 +72,9 @@ def __init__(self):
         if SENTRY_SDK_AVAILABLE:
             # Don't send log records as events.
             sentry_logging = LoggingIntegration(level=logging.INFO, event_level=None)
-            cacert = None
-            if hasattr(sys, "frozen"):
-                cacert = certifi.where()
-
             try:
                 sentry_sdk.init(dsn=CrashReport.DSN,
                                 release=__version__,
-                                ca_certs=cacert,
                                 default_integrations=False,
                                 integrations=[sentry_logging])
             except Exception as e:

gns3server/run.py

@@ -28,6 +28,16 @@
 import argparse
 import psutil
 
+import logging
+log = logging.getLogger(__name__)
+
+
+try:
+    import truststore
+    truststore.inject_into_ssl()
+    log.info("Using system certificate store for SSL connections")
+except ImportError:
+    pass
 
 from gns3server.web.web_server import WebServer
 from gns3server.web.logger import init_logger
@@ -36,10 +46,6 @@
 from gns3server.crash_report import CrashReport
 
 
-import logging
-log = logging.getLogger(__name__)
-
-
 def locale_check():
     """
     Checks if this application runs with a correct locale (i.e. supports UTF-8 encoding) and attempt to fix

requirements.txt

@@ -1,4 +1,3 @@
-certifi>=2023.7.22
 jsonschema>=4.17.3,<4.18; python_version >= '3.7'
 jsonschema==3.2.0; python_version < '3.7'  # v3.2.0 is the last version to support Python 3.6
 aiohttp>=3.8.4,<3.9
@@ -13,5 +12,6 @@ async-timeout>=4.0.2,<4.1
 distro>=1.8.0
 py-cpuinfo>=9.0.0,<10.0
 importlib-resources>=1.3; python_version <= '3.9'
+truststore>=0.7.0; python_version >= '3.10'
 setuptools>=60.8.1; python_version >= '3.7'
 setuptools==59.6.0; python_version < '3.7'  # v59.6.0 is the last version to support Python 3.6