Merge lp:~jelmer/brz/sni-support into lp:brz

Proposed by Jelmer Vernooij
Status: Merged
Approved by: Jelmer Vernooij
Approved revision: no longer in the source branch.
Merge reported by: The Breezy Bot
Merged at revision: not available
Proposed branch: lp:~jelmer/brz/sni-support
Merge into: lp:brz
Diff against target: 204 lines (+35/-33)
4 files modified
MANIFEST.in (+4/-4)
breezy/tests/ssl_certs/create_ssls.py (+22/-21)
breezy/transport/http/_urllib2_wrappers.py (+6/-6)
doc/en/release-notes/brz-3.0.txt (+3/-2)
To merge this branch: bzr merge lp:~jelmer/brz/sni-support
Reviewer Review Type Date Requested Status
Martin Packman Approve
Review via email: mp+324979@code.launchpad.net

Commit message

Add SNI support.

Description of the change

Add sni-support.

Cherry-picked from lp:~vila/bzr/1089352-sni-support

To post a comment you must log in.
Revision history for this message
Martin Packman (gz) wrote :

Okay, so the important bit is just passing server_hostname through to SSLSocket. All changes look fine.

review: Approve
Revision history for this message
The Breezy Bot (the-breezy-bot) wrote :

Running landing tests failed
http://10.242.247.184:8080/job/brz-dev/40/

Revision history for this message
The Breezy Bot (the-breezy-bot) wrote :

Running landing tests failed
http://10.242.247.184:8080/job/brz-dev/44/

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'MANIFEST.in'
2--- MANIFEST.in 2017-05-21 12:51:58 +0000
3+++ MANIFEST.in 2017-06-01 23:29:23 +0000
4@@ -1,10 +1,10 @@
5-include bzr README setup.py COPYING.txt
6+include brz README setup.py COPYING.txt
7 # FIXME: Not needed, remove after 2.7.0 -- vila 2016-02-07
8-include BRANCH.TODO INSTALL Makefile MANIFEST.in NEWS profile_imports.py README_BDIST_RPM .rsyncexclude .testr.conf TODO tools/bzr_epydoc tools/packaging/lp-upload-release tools/subunit-sum bzrlib/plugins/news_merge/README bzrlib/plugins/po_merge/README bzrlib/tests/ssl_certs/ca.key bzrlib/tests/ssl_certs/server.csr bzrlib/plugins/grep/.bzrignore bzrlib/plugins/grep/NEWS
9+include BRANCH.TODO INSTALL Makefile MANIFEST.in NEWS profile_imports.py README_BDIST_RPM .rsyncexclude .testr.conf TODO tools/bzr_epydoc tools/packaging/lp-upload-release tools/subunit-sum breezy/plugins/news_merge/README breezy/plugins/po_merge/README breezy/tests/ssl_certs/ca.key breezy/tests/ssl_certs/server.csr breezy/plugins/grep/.bzrignore breezy/plugins/grep/NEWS
10 # bzr export still create some empty dirs that need to be removed
11-# bzrlib/plugins/weave_fmt/tests/ bzrlib/store/revision/ doc/ja/_templates/ man1/ man1
12+# breezy/plugins/weave_fmt/tests/ breezy/store/revision/ doc/ja/_templates/ man1/ man1
13 recursive-include tools/win32 *
14-recursive-include bzrlib *.py *.pyx *.pxd *.txt *.c *.h
15+recursive-include breezy *.py *.pyx *.pxd *.txt *.c *.h
16 recursive-include tools *.py *.sh
17 recursive-include apport *
18 recursive-include contrib *
19
20=== modified file 'breezy/tests/ssl_certs/create_ssls.py'
21--- breezy/tests/ssl_certs/create_ssls.py 2017-05-22 00:56:52 +0000
22+++ breezy/tests/ssl_certs/create_ssls.py 2017-06-01 23:29:23 +0000
23@@ -1,6 +1,6 @@
24 #! /usr/bin/env python
25
26-# Copyright (C) 2007 Canonical Ltd
27+# Copyright (C) 2007, 2008, 2009, 2017 Canonical Ltd
28 #
29 # This program is free software; you can redistribute it and/or modify
30 # it under the terms of the GNU General Public License as published by
31@@ -44,26 +44,24 @@
32 CalledProcessError,
33 Popen,
34 PIPE,
35- )
36+)
37 import sys
38
39 # We want to use the right breezy: the one we are part of
40-# FIXME: The fllowing is correct but looks a bit ugly
41+# FIXME: The following is correct but looks a bit ugly
42 _dir = os.path.dirname
43 our_bzr = _dir(_dir(_dir(_dir(os.path.realpath(__file__)))))
44 sys.path.insert(0, our_bzr)
45
46-from breezy import (
47- osutils,
48- )
49-from breezy.tests import (
50- ssl_certs,
51- )
52+from ... import osutils
53+from .. import ssl_certs
54+
55
56 def error(s):
57 print(s)
58 exit(1)
59
60+
61 def needs(request, *paths):
62 """Errors out if the specified path does not exists"""
63 missing = [p for p in paths if not os.path.exists(p)]
64@@ -78,6 +76,7 @@
65 except:
66 pass
67
68+
69 def _openssl(args, input=None):
70 """Execute a command in a subproces feeding stdin with the provided input.
71
72@@ -92,7 +91,7 @@
73 return proc.returncode, stdout, stderr
74
75
76-ssl_params=dict(
77+ssl_params = dict(
78 # Passwords
79 server_pass='I will protect the communications',
80 server_challenge_pass='Challenge for the CA',
81@@ -111,17 +110,18 @@
82 server_locality='LocalHost',
83 server_organization='Testing Ltd',
84 server_section='https server',
85- server_name='127.0.0.1', # Always accessed under that name
86- server_email='https_server@locahost',
87+ server_name='127.0.0.1', # Always accessed under that name
88+ server_email='https_server@localhost',
89 server_optional_company_name='',
90- )
91+)
92
93
94 def build_ca_key():
95 """Generate an ssl certificate authority private key."""
96 key_path = ssl_certs.build_path('ca.key')
97 rm_f(key_path)
98- _openssl(['genrsa', '-passout', 'stdin', '-des3', '-out', key_path, '4096'],
99+ _openssl(['genrsa', '-passout', 'stdin', '-des3', '-out',
100+ key_path, '4096'],
101 input='%(ca_pass)s\n%(ca_pass)s\n' % ssl_params)
102
103
104@@ -150,17 +150,18 @@
105 """Generate an ssl server private key.
106
107 We generates a key with a password and then copy it without password so
108- that as server can user it without prompting.
109+ that a server can use it without prompting.
110 """
111 key_path = ssl_certs.build_path('server_with_pass.key')
112 rm_f(key_path)
113- _openssl(['genrsa', '-passout', 'stdin', '-des3', '-out', key_path, '4096'],
114+ _openssl(['genrsa', '-passout', 'stdin', '-des3', '-out',
115+ key_path, '4096'],
116 input='%(server_pass)s\n%(server_pass)s\n' % ssl_params)
117
118 key_nopass_path = ssl_certs.build_path('server_without_pass.key')
119 rm_f(key_nopass_path)
120 _openssl(['rsa', '-passin', 'stdin', '-in', key_path,
121- '-out', key_nopass_path,],
122+ '-out', key_nopass_path],
123 input='%(server_pass)s\n' % ssl_params)
124
125
126@@ -199,7 +200,7 @@
127 '-in', server_csr_path,
128 '-CA', ca_cert_path, '-CAkey', ca_key_path,
129 '-set_serial', '01',
130- '-out', server_cert_path,],
131+ '-out', server_cert_path],
132 input='%(ca_pass)s\n' % ssl_params)
133
134
135@@ -231,7 +232,7 @@
136 opt_parser.add_option(
137 "-r", "--sign-request", dest="signing_requests", action="append",
138 metavar="REQUEST",
139- help="generate a new signing REQUEST (several -r options can be specified)")
140+ help="generate a new signing REQUEST (can be repeated)")
141 opt_parser.add_option(
142 "-s", "--sign", dest="signings", action="append",
143 metavar="SIGNING",
144@@ -247,8 +248,8 @@
145 if __name__ == '__main__':
146 (Options, args) = opt_parser.parse_args()
147 if (Options.ca or Options.server):
148- if (Options.keys or Options.certificates or Options.signing_requests
149- or Options.signings):
150+ if ((Options.keys or Options.certificates or Options.signing_requests
151+ or Options.signings)):
152 error("--ca and --server can't be used with other options")
153 # Handles --ca before --server so that both can be used in the same run
154 # to generate all the files needed by the https test server
155
156=== modified file 'breezy/transport/http/_urllib2_wrappers.py'
157--- breezy/transport/http/_urllib2_wrappers.py 2017-05-22 00:56:52 +0000
158+++ breezy/transport/http/_urllib2_wrappers.py 2017-06-01 23:29:23 +0000
159@@ -455,9 +455,9 @@
160 "'bzr help ssl.ca_certs' for more information on setting "
161 "trusted CAs.")
162 try:
163- ssl_sock = ssl.wrap_socket(
164- self.sock, self.key_file, self.cert_file,
165- cert_reqs=cert_reqs, ca_certs=ca_certs)
166+ ssl_sock = ssl.SSLSocket(self.sock, self.key_file, self.cert_file,
167+ cert_reqs=cert_reqs, ca_certs=ca_certs,
168+ server_hostname=self.host)
169 except ssl.SSLError:
170 trace.note(
171 "\n"
172@@ -466,13 +466,13 @@
173 "Pass -Ossl.cert_reqs=none to disable certificate "
174 "verification entirely.\n")
175 raise
176+ # Wrap the ssl socket before anybody use it
177+ self._wrap_socket_for_reporting(ssl_sock)
178+
179 if cert_reqs == ssl.CERT_REQUIRED:
180 peer_cert = ssl_sock.getpeercert()
181 ssl.match_hostname(peer_cert, host)
182
183- # Wrap the ssl socket before anybody use it
184- self._wrap_socket_for_reporting(ssl_sock)
185-
186
187 class Request(urllib2.Request):
188 """A custom Request object.
189
190=== modified file 'doc/en/release-notes/brz-3.0.txt'
191--- doc/en/release-notes/brz-3.0.txt 2017-05-30 22:59:36 +0000
192+++ doc/en/release-notes/brz-3.0.txt 2017-06-01 23:29:23 +0000
193@@ -43,8 +43,9 @@
194 Bug Fixes
195 *********
196
197-.. Fixes for situations where brz would previously crash or give incorrect
198- or undesirable results.
199+* Support Server Name Indication (SNI) when talking to https servers.
200+ Cherry-picked from lp:~vila/bzr/1089352-sni-support
201+ (Vincent Ladeuil, #1089352)
202
203 Documentation
204 *************

Subscribers

People subscribed via source and target branches