ssl: use certifi explicitly for aiohttp and electrum-server connections

fixes ssl issues on Android

electrum/interface.py

@@ -33,6 +33,7 @@ from collections import defaultdict
 
 import aiorpcx
 from aiorpcx import RPCSession, Notification
+import requests
 
 from .util import PrintError, ignore_exceptions, log_exceptions, bfh, SilentTaskGroup
 from . import util
@@ -48,6 +49,9 @@ if TYPE_CHECKING:
     from .network import Network
 
 
+ca_path = requests.certs.where()
+
+
 class NotificationSession(RPCSession):
 
     def __init__(self, *args, **kwargs):
@@ -232,7 +236,7 @@ class Interface(PrintError):
             return None
 
         # see if we already have cert for this server; or get it for the first time
-        ca_sslc = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
+        ca_sslc = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH, cafile=ca_path)
         if not self._is_saved_ssl_cert_available():
             await self._try_saving_ssl_cert_for_first_time(ca_sslc)
         # now we have a file saved in our certificate store

electrum/util.py

@@ -40,10 +40,12 @@ import builtins
 import json
 import time
 from typing import NamedTuple, Optional
+import ssl
 
 import aiohttp
 from aiohttp_socks import SocksConnector, SocksVer
 from aiorpcx import TaskGroup
+import requests
 
 from .i18n import _
 
@@ -57,6 +59,9 @@ def inv_dict(d):
     return {v: k for k, v in d.items()}
 
 
+ca_path = requests.certs.where()
+
+
 base_units = {'BTC':8, 'mBTC':5, 'bits':2, 'sat':0}
 base_units_inverse = inv_dict(base_units)
 base_units_list = ['BTC', 'mBTC', 'bits', 'sat']  # list(dict) does not guarantee order
@@ -919,6 +924,8 @@ def make_aiohttp_session(proxy: dict, headers=None, timeout=None):
         headers = {'User-Agent': 'Electrum'}
     if timeout is None:
         timeout = aiohttp.ClientTimeout(total=10)
+    ssl_context = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH, cafile=ca_path)
+
     if proxy:
         connector = SocksConnector(
             socks_ver=SocksVer.SOCKS5 if proxy['mode'] == 'socks5' else SocksVer.SOCKS4,
@@ -926,11 +933,13 @@ def make_aiohttp_session(proxy: dict, headers=None, timeout=None):
             port=int(proxy['port']),
             username=proxy.get('user', None),
             password=proxy.get('password', None),
-            rdns=True
+            rdns=True,
+            ssl_context=ssl_context,
         )
-        return aiohttp.ClientSession(headers=headers, timeout=timeout, connector=connector)
     else:
-        return aiohttp.ClientSession(headers=headers, timeout=timeout)
+        connector = aiohttp.TCPConnector(ssl_context=ssl_context)
+
+    return aiohttp.ClientSession(headers=headers, timeout=timeout, connector=connector)
 
 
 class SilentTaskGroup(TaskGroup):