Fix updateCheck._updateWindowsRootCertificates() for Python 3.

[jcsteh]

Link to issue number:

Related to #4803.

Summary of the issue:

updateCheck._updateWindowsRootCertificates is broken in Python 3. This will mean that a system which doesn't have the root SSL certificate used by nvaccess.org (e.g. a clean Windows install) won't be able to check for updates.

Description of how this pull request fixes the issue:

This was missed in the migration to Python 3.
There are two problems that needed to be addressed here:

1. We use https://www.nvaccess.org/nvdaUpdateCheck as the URL to get the certificate. However, that returns a 404. In Python 2, urllib didn't raise an exception for errors. In Python 3, it does. So, this was raising an exception and preventing us from getting any further.
   To fix this, pass versionType=stable as the query string, which will stop the server from throwing 404.
2. When getting the peer certificate, we need the raw SSL socket. In Python 3, the way to get that raw socket has changed slightly, so this code had to be adjusted accordingly.

Testing performed:

I don't have a clean system to test this on, but I confirmed that I don't get any exceptions when I do this in the NVDA Python console:

import updateCheck
updateCheck._updateWindowsRootCertificates()

Known issues with pull request:

None.

Change log entry:

Bug fixes:
- It is once again possible to check for NVDA updates on certain systems; e.g. clean Windows installs.

[josephsl]

Hi, requesting high priority for 2020.2 please. Thanks.

[josephsl]

Thanks for catching this.

[LeonarddeR]

I wonder whether it could be helpful to hardcode the url in a function kwarg. This way the behavior doesn't differ when calling the function, but third party can reuse it for other urls.

[jcsteh]

Yeah, I'd say that'd be useful, since Vocalizer Expressive at least copies this. However, we should probably move it to a different module if we're going to do that, and I didn't want to conflate these two issues with this PR, especially as this is a more important fix.

[josephsl]

Hi, Add-on Updater also uses this function (maybe for 2020.3?). Thanks.

[feerrenrut]

Thanks @jcsteh

Note: While #5871 is similar, it is likely to remain an issue after this PR is merged.

[jcsteh]

Correct; #5871 is still a problem because this code can't handle redirects. I think it'd be possible to fix that by writing code which manually tracked and followed all the redirects for a given URL, running this cert update code for each URL. That's not trivial, though, and probably involves writing custom urllib request handlers, etc.

[Brian1Gaff]

Is this allied to the issues I was having last week where certificates were apparently not up to date when some alpha snaps tried to download the next update? I did in the end find that going back to an older update, then downloading the latest seemed to make it work again, but I feel this was more luck than anything else! This was in Windows 7. Brian