Bazaar

Merge lp:~vila/bzr/929179-default-ssl-certs into lp:bzr/2.5

  1. 929179-default-ssl-certs
  2. Merge into 2.5
Proposed by Vincent Ladeuil
Status: Merged
Approved by: Vincent Ladeuil
Approved revision: no longer in the source branch.
Merged at revision: 6474
Proposed branch: lp:~vila/bzr/929179-default-ssl-certs
Merge into: lp:bzr/2.5
Diff against target: 48 lines (+12/-2)
2 files modified
bzrlib/transport/http/_urllib2_wrappers.py (+8/-2)
doc/en/release-notes/bzr-2.5.txt (+4/-0)
To merge this branch: bzr merge lp:~vila/bzr/929179-default-ssl-certs
Reviewer Review Type Date Requested Status
Martin Pool Approve
Review via email: mp+93177@code.launchpad.net

Commit message

Default to no ssl cert verification on osx and windows

Description of the change

As discussed during the standup and on IRC, this change the default value of
`ssl.ca_reqs` for osx and windows where we don't yet have a way to access
the native ssl root certificates.

I've filed bug #932647 and bug #932648 for windows and osx so the long term
solution can be tracked.

To post a comment you must log in.
Revision history for this message
Martin Pool (mbp) wrote :

nice.

[fix] typo 'prodvided' in the news

 vote approve

review: Approve
Revision history for this message
Vincent Ladeuil (vila) wrote :

sent to pqm by email

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'bzrlib/transport/http/_urllib2_wrappers.py'
2--- bzrlib/transport/http/_urllib2_wrappers.py 2012-01-31 17:00:22 +0000
3+++ bzrlib/transport/http/_urllib2_wrappers.py 2012-02-16 08:32:18 +0000
4@@ -86,7 +86,6 @@
5 # XXX: Needs checking, can't trust the interweb ;) -- vila 2012-01-25
6 u'/etc/openssl/certs/ca-certificates.crt', # Solaris
7 ]
8-
9 def default_ca_certs():
10 if sys.platform == 'win32':
11 return os.path.join(os.path.dirname(sys.executable), u"ca_bundle.crt")
12@@ -122,6 +121,13 @@
13 except KeyError:
14 raise ValueError("invalid value %s" % unicode_str)
15
16+def default_ca_reqs():
17+ if sys.platform in ('win32', 'darwin'):
18+ # FIXME: Once we get a native access to root certificates there, this
19+ # won't needed anymore. See http://pad.lv/920455 -- vila 2012-02-15
20+ return u'none'
21+ else:
22+ return u'required'
23
24 opt_ssl_ca_certs = config.Option('ssl.ca_certs',
25 from_unicode=ca_certs_from_store,
26@@ -137,7 +143,7 @@
27 """)
28
29 opt_ssl_cert_reqs = config.Option('ssl.cert_reqs',
30- default=u"required",
31+ default=default_ca_reqs,
32 from_unicode=cert_reqs_from_store,
33 invalid='error',
34 help="""\
35
36=== modified file 'doc/en/release-notes/bzr-2.5.txt'
37--- doc/en/release-notes/bzr-2.5.txt 2012-02-03 12:47:10 +0000
38+++ doc/en/release-notes/bzr-2.5.txt 2012-02-16 08:32:18 +0000
39@@ -33,6 +33,10 @@
40 .. Fixes for situations where bzr would previously crash or give incorrect
41 or undesirable results.
42
43+* Disable ssl certificate verification on osx and windows until a native
44+ access to the the root certificates is provided there.
45+ (Vincent Ladeuil, #929179)
46+
47 Documentation
48 *************
49

Subscribers

People subscribed via source and target branches