Add in some logic to select a CA bundle

[erinn]

This was mainly inspired by https://github.com/google/signet, but I didn't think having to hard code in the path to the CA file was worth it, so I added in a check for the SSL_CERT_FILE environment variable and used a default set of locations to try and find the system CA bundle.

[Kami]

@erinn Thanks.

I actually need to update httplib_ssl.py with a new version from Libcloud (https://github.com/apache/libcloud/blob/trunk/libcloud/httplib_ssl.py), because version which is currently bundled is old and not robust enough.

I will try to do this later today.

[erinn]

I sent a pull request for libcloud to allow an override, so you can pull it from there. I think I will expand the CA list given in security in libcloud and that should be about it.

[Kami]

@erinn I've pushed a branch with a bunch of fixes - #11.

I've decided to use requests library instead of Libcloud HTTP code. Code which handles HTTP and SSL certificate validation in Libcloud is overly complex. One of the main reasons for this is that Libcloud needs to support a wide range of Python versions. That's not the case for this library so I just went with simpler approach and used requests library.

In this new branch you can specify a path to a custom CA certificates bundle file by setting yubico.CA_CERTS_BUNDLE_PATH variable.

If there are no major objections to changes in the new branch and plan to merge it and push new version to PyPi in a day or two.

[erinn]

Using requests is certainly a lot nicer than using urllib. However, it still ends up at the same place, I was trying to remove a value that has to be coded in, with something that looks in common locations for CA bundles and loads them if found.

I would say that having the CA bundle found and loaded for you would be a great convenience, so the basic premise is still there. Let me know if you would like this done for your branch. However, my guess is that you prefer having the location set by hand.

[Kami]

@erinn I'm fine with looking for CA bundle path in common places (excluding locations in home directory) and using the first bundle found.

Is this what you had in mind or you want to do something else?

[erinn]

Yep that is what I had in mind, you can easily take what I have above and put it into place in your branch. You will want to remove the last 3-6 lines in the list of possible locations (not sure how valuable windows locations would be) to fit your needs.

As well as we were sort of discussing in libcloud using os.getenv may or may not be valuable.

[Kami]

Added in f8187e828d9773eaea7993bb0c34a78b3bde3bd0. Thanks!

[Kami]

Just wanted to let you know that a new version with this and a bunch of other improvements and fixes has been published to PyPi - http://pypi.python.org/pypi/yubico/1.6.0