diff --git a/client-py3/full/src/uds/rest.py b/client-py3/full/src/uds/rest.py index bcf39858..b3a74ab2 100644 --- a/client-py3/full/src/uds/rest.py +++ b/client-py3/full/src/uds/rest.py @@ -40,7 +40,6 @@ import ssl import socket import typing -import certifi from cryptography import x509 from cryptography.hazmat.backends import default_backend @@ -186,7 +185,9 @@ class RestApi: ctx = ssl.create_default_context() ctx.check_hostname = False ctx.verify_mode = ssl.CERT_NONE - ctx.load_verify_locations(tools.getCaCertsFile()) + # If we have the certificates file, we use it + if tools.getCaCertsFile() is not None: + ctx.load_verify_locations(tools.getCaCertsFile()) hostname = urllib.parse.urlparse(url)[1] serial = '' diff --git a/client-py3/full/src/uds/tools.py b/client-py3/full/src/uds/tools.py index e9584e68..8f3fa05c 100644 --- a/client-py3/full/src/uds/tools.py +++ b/client-py3/full/src/uds/tools.py @@ -34,12 +34,14 @@ import string import random import os import os.path +import sys import socket import stat import sys import time import base64 import typing + import certifi try: @@ -242,11 +244,22 @@ def verifySignature(script: bytes, signature: bytes) -> bool: return True -def getCaCertsFile() -> str: +def getCaCertsFile() -> typing.Optional[str]: + # First, try certifi... + try: if os.path.exists(certifi.where()): return certifi.where() except Exception: - logger.debug('Certifi file does not exists: %s', certifi.where()) + pass - return '' # Return empty path + logger.info('Certifi file does not exists: %s', certifi.where()) + + # Check if "standard" paths are valid for linux systems + if 'linux' in sys.platform: + for path in ('/etc/pki/tls/certs/ca-bundle.crt', '/etc/ssl/certs/ca-certificates.crt', '/etc/ssl/ca-bundle.pem'): + if os.path.exists(path): + logger.info('Found certifi path: %s', path) + return path + + return None diff --git a/client-py3/full/src/uds/tunnel.py b/client-py3/full/src/uds/tunnel.py index 20c6bf2d..8716b744 100644 --- a/client-py3/full/src/uds/tunnel.py +++ b/client-py3/full/src/uds/tunnel.py @@ -120,9 +120,10 @@ class ForwardServer(socketserver.ThreadingTCPServer): # Do not "recompress" data, use only "base protocol" compression context.options |= ssl.OP_NO_COMPRESSION - context.load_verify_locations( - tools.getCaCertsFile() - ) # Load certifi certificates + if tools.getCaCertsFile() is not None: + context.load_verify_locations( + tools.getCaCertsFile() + ) # Load certifi certificates # If ignore remote certificate if self.check_certificate is False: