SNOW-2176203: Support intermediates in trust stores

[sfc-gh-snoonan]

Our current python connector does not support a configuration with intermediate certificates in a trust store as roots of trust. This is allowed by RFCs; the root does not need to be self signed, and this is the behavior we have in our Go client.

These changes enable partial chain validation to normalize behavior across clients.

• I am adding a new automated test(s) to verify correctness of my new code
• I am adding new logging messages
• I am adding a new telemetry message
• I am modifying authorization mechanisms
• I am adding new credentials
• I am modifying OCSP code
• I am adding a new dependency

[sfc-gh-jkasten]

Thanks!

LGTM - though it has been many years since I wrote production Python.

[sfc-gh-jkasten]

optional: According to the documentation, PROTOCOL_TLS_CLIENT enables CERT_REQUIRED and check_hostname by default.
https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLS_CLIENT

I guess I would either be explicit with both options or maybe drop this addtional code?

[sfc-gh-snoonan]

As it is today, we do hostname verification in urllib3 rather than the SSLContext. (src/snowflake/connector/vendored/urllib3/util/ssl_.py). We might want to change that, but one thing at a time I think. This is another stdlib vs PyOpenSSL distinction. The context here just maps to the OpenSSL method used; we could probably get away with just PROTOCOL_TLS. They both map to OpenSSL.SSL.SSLv23_METHOD.

Yes, this is janky.

[sfc-gh-jkasten]

Note/optional: There is an ssl.VERIFY_X509_PARTIAL_CHAIN which can be set on the SSLContext directly under SSLContext.verify_flags I think? (Version 3.10)

It might simplify some of this code. My apologies if I missed something.

[sfc-gh-snoonan]

This is PyOpenSSL versus the stdlib. We're working with pretty old code here, so I try all the things :-).

[sfc-gh-pczajka]

Left two nits