From 0ad7e99efefd21f469df5c563b56729872a71369 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Mon, 27 Oct 2025 08:38:14 -0400
Subject: [PATCH] Only optionally use cryptography verification

Some supported distributions can't run the newer cryptography.

Make it a feature that only works with newer platforms.
---
 confluent_server/confluent/util.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/confluent_server/confluent/util.py b/confluent_server/confluent/util.py
index 4d46ee60..77fcf696 100644
--- a/confluent_server/confluent/util.py
+++ b/confluent_server/confluent/util.py
@@ -34,7 +34,10 @@ import ssl
 import struct
 import eventlet.green.subprocess as subprocess
 import cryptography.x509 as x509
-import cryptography.x509.verification as verification
+try:
+    import cryptography.x509.verification as verification
+except ImportError:
+    verification = None
 
 
 
@@ -307,7 +310,7 @@ class TLSCertVerifier(object):
         # Mismatches, but try more traditional validation using the site CAs
         if self.subject:
             try:
-                if self.verify_by_ca(certificate):
+                if verification and self.verify_by_ca(certificate):
                     auditlog = log.Logger('audit')
                     auditlog.log({'node': self.node, 'event': 'certautoupdate',
                                   'fingerprint': fingerprint})