This introduces reviewboard.certs.http, which contains a URL opener,

CertificateVerificationHTTPSHandler. This takes care of generating a

suitable SSL context based on the certificate manager, and handles the

conversion of SSL/TLS errors to our own exceptions.
If an SSLError is raised, it will be converted into a

CertificateVerificationError, complete with a Certificate instance

fetched from the server (as SSLError doesn't contain this). This means

individual call sites don't have to convert SSL errors anymore.
A urlopen() method in the same module is available, which can be used

as a direct replacement for urllib.request.urlopen(). If communicating

over HTTPS, this will make use of our new handler. Otherwise, it's the

exact same as calling the original urlopen().
All urlopen() call sites have been updated to use this. They were

recently updated to use build_urlopen_kwargs(), but that's no longer

required. In fact, this method is now deprecated in favor of the new

handler.
The hosting service HTTP support makes use of the new handler directly,

allowing it to leverage the central context building and error handling.
Unless a legacy UnverifiedCertificateError is explicitly returned by a

hosting service or SCMTool, all call sites will now use the modern

CertificateVerificationError.

All unit tests pass.
Manually tried adding repositories using bare SCMTools and hosting

services, verifying I received the cert verification banner each time.

Tested this with a variety of https://badssl.com endpoints.
Verified that trusting the cert created a stored cert entry and that

further access worked.