TLS support includes root certificate management code that should be handled elsewhere

[exarkun]

txaws/client/ssl.py is mostly just code that's been obsoleted by improvements to certificate authority certificate handling code in Twisted.

We can probably just get rid of the whole module (after deprecating it, I suppose). Certainly we don't need VerifyingWebClientContext anymore. Instead, we should use BrowserLikePolicyForHTTPS.

This will:

• reduce complexity of txaws code (in a security-sensitive area)
• bring support for certificate bundles (which txaws can't currently understand)
• make Twisted responsible for making sure something good happens on Windows (twisted has Windows CI, txaws does not)

[exarkun]

@Julian asked what's needed to get rid of the "probably" from the issue description so I took another look at the module.

It still looks to me as if this whole module can be deprecated and then eliminated. We'll have to bump up the minimum supported version of Twisted so we can be sure we get BrowserLikePolicyForHTTPS and we should check for TXAWS_CERTS_PATH and respect that in the new codepaths (and also deprecate it).

So, yea, anyone who wants to can go ahead and deprecate this thing.

[Julian]

AFAICT, 15.5.0, which is the current minimum version, already had BrowserLikePolicyForHTTPS, and used it by default in Agent:

https://twistedmatrix.com/documents/15.5.0/api/twisted.web.client.Agent.html

[Julian]

Aright, I cowboy coded together some stuff in https://github.com/twisted/txaws/tree/deprecate-t-c-ssl which looks like it should get 80% of the way there to my layman's eye, but it exhausted me a bit, so will have to leave it there for now till I catch a second wind.