server certificate validation

[dimaqq]

introduces requirement on backports.ssl_match_hostname where applicatble (<=Python3.2 or so).
pyp and/or requirements file will have to be updated too.
includes additional file to maintain -- a certificate bundle, ripped from python-requests, originally from mozilla/firefox.
please let me know if I missed something, could do anything better, or whatever is needed for patch to be accepted.

[dimaqq]

disregard my last [deleted] comment, I forgot that cacert.pem does not get installed by pip:

curl -L https://github.com/dimaqq/websocket-client/raw/master/cacert.pem > your-path-to/site-packages/cacert.pem

then it works :)

[dimaqq]

btw., any advice on how to package cacert.pem correctly is welcome.

what python-requests does is roughly:

site-packages
    requests
        __init__.py  # imports public functions from below
        something.py
        someother.py
        cacert.pem

as a poor alternative, consider that urllib3 does: VerifiedXxxx class where user has to set ca file and hostname manually.

[liris]

we have to change setup.py to depend on backport module and include cacert.pem.

[kapilt]

this causes breakages with self-signed certs with no option to add additional/overrides the certs, as their hardcoded here.

[dimaqq]

@kapilt you can inject your own sslopt options, including a flag not to validate server certificate. Refer to https://github.com/liris/websocket-client/blob/master/websocket/__init__.py#L467