[lightapi/python]: fix peer connection failures on OpenSSL 3.5 environments by removing ABI-dependent SSL handling

[ccHarvestasya]

Background

This issue was discovered through failures in the shoestring health command.
Even when the node itself was healthy, the health command failed depending on which OpenSSL version Python was linked against.

In the reproduced environments:

• Ubuntu 24 system Python was linked to OpenSSL 3.0.x (no failure)
• Python in a uv-created virtual environment was linked to OpenSSL 3.5.x (health command failure)

Root Cause

The root cause was not OpenSSL 3.5 itself, but an ABI assumption in lightapi’s SSL/TLS handshake path.

The previous implementation extracted SSL_CTX from Python’s ssl.SSLContext using a fixed memory offset, then called SSL_CTX_set_verify.
This depended on Python object memory layout and linked OpenSSL ABI details, making it fragile across runtime combinations.

Changes

• Removed fixed-offset SSL_CTX access
• Removed OpenSSL-binding-based verify callback path
• Migrated certificate handling to ABI-free DER-based processing
• Added peer certificate chain handling that tolerates OpenSSL 3.5 / Python 3.10+ API differences
• Updated and expanded related tests

Impact

• Addresses shoestring health command failures in Python environments linked to OpenSSL 3.5.x
• Improves cross-environment robustness by eliminating ABI-dependent behavior

Security/Verification Note

Certificate verification strength should be reviewed carefully.
While compatibility improved, we should confirm the current TLS/app-layer verification policy is not weaker than intended.

Review Focus

• shoestring health succeeds with Python linked to OpenSSL 3.5.x
• no regression with Python linked to OpenSSL 3.0.x
• certificate verification policy is acceptable (compatibility vs strict verification trade-off)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.91%. Comparing base (c07f693) to head (940d507).
⚠️ Report is 1 commits behind head on dev.

Additional details and impacted files

@@            Coverage Diff             @@
##              dev    #2005      +/-   ##
==========================================
+ Coverage   96.87%   96.91%   +0.04%     
==========================================
  Files         261      259       -2     
  Lines       19119    19152      +33     
  Branches      215      215              
==========================================
+ Hits        18522    18562      +40     
+ Misses        591      584       -7     
  Partials        6        6              

Flag	Coverage Δ
lightapi-python	99.46% <100.00%> (+0.78%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...lightapi/connector/CatapultCertificateProcessor.py	100.00% <100.00%> (ø)
...on/symbollightapi/connector/SymbolPeerConnector.py	100.00% <100.00%> (+0.94%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.