Merge lp:~vila/bzr/929179-default-ssl-certs into lp:bzr/2.5

Proposed by Vincent Ladeuil
Status: Merged
Approved by: Vincent Ladeuil
Approved revision: 6474
Merged at revision: 6474
Proposed branch: lp:~vila/bzr/929179-default-ssl-certs
Merge into: lp:bzr/2.5
Diff against target: 48 lines (+12/-2)
2 files modified
bzrlib/transport/http/_urllib2_wrappers.py (+8/-2)
doc/en/release-notes/bzr-2.5.txt (+4/-0)
To merge this branch: bzr merge lp:~vila/bzr/929179-default-ssl-certs
Reviewer Review Type Date Requested Status
Martin Pool Approve
Review via email: mp+93177@code.launchpad.net

Commit message

Default to no ssl cert verification on osx and windows

Description of the change

As discussed during the standup and on IRC, this change the default value of
`ssl.ca_reqs` for osx and windows where we don't yet have a way to access
the native ssl root certificates.

I've filed bug #932647 and bug #932648 for windows and osx so the long term
solution can be tracked.

To post a comment you must log in.
Revision history for this message
Martin Pool (mbp) wrote :

nice.

[fix] typo 'prodvided' in the news

 vote approve

review: Approve
6475. By Vincent Ladeuil

Fix typo in news entry.

Revision history for this message
Vincent Ladeuil (vila) wrote :

sent to pqm by email

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'bzrlib/transport/http/_urllib2_wrappers.py'
--- bzrlib/transport/http/_urllib2_wrappers.py 2012-01-31 17:00:22 +0000
+++ bzrlib/transport/http/_urllib2_wrappers.py 2012-02-16 08:32:18 +0000
@@ -86,7 +86,6 @@
86 # XXX: Needs checking, can't trust the interweb ;) -- vila 2012-01-2586 # XXX: Needs checking, can't trust the interweb ;) -- vila 2012-01-25
87 u'/etc/openssl/certs/ca-certificates.crt', # Solaris87 u'/etc/openssl/certs/ca-certificates.crt', # Solaris
88 ]88 ]
89
90def default_ca_certs():89def default_ca_certs():
91 if sys.platform == 'win32':90 if sys.platform == 'win32':
92 return os.path.join(os.path.dirname(sys.executable), u"ca_bundle.crt")91 return os.path.join(os.path.dirname(sys.executable), u"ca_bundle.crt")
@@ -122,6 +121,13 @@
122 except KeyError:121 except KeyError:
123 raise ValueError("invalid value %s" % unicode_str)122 raise ValueError("invalid value %s" % unicode_str)
124123
124def default_ca_reqs():
125 if sys.platform in ('win32', 'darwin'):
126 # FIXME: Once we get a native access to root certificates there, this
127 # won't needed anymore. See http://pad.lv/920455 -- vila 2012-02-15
128 return u'none'
129 else:
130 return u'required'
125131
126opt_ssl_ca_certs = config.Option('ssl.ca_certs',132opt_ssl_ca_certs = config.Option('ssl.ca_certs',
127 from_unicode=ca_certs_from_store,133 from_unicode=ca_certs_from_store,
@@ -137,7 +143,7 @@
137""")143""")
138144
139opt_ssl_cert_reqs = config.Option('ssl.cert_reqs',145opt_ssl_cert_reqs = config.Option('ssl.cert_reqs',
140 default=u"required",146 default=default_ca_reqs,
141 from_unicode=cert_reqs_from_store,147 from_unicode=cert_reqs_from_store,
142 invalid='error',148 invalid='error',
143 help="""\149 help="""\
144150
=== modified file 'doc/en/release-notes/bzr-2.5.txt'
--- doc/en/release-notes/bzr-2.5.txt 2012-02-03 12:47:10 +0000
+++ doc/en/release-notes/bzr-2.5.txt 2012-02-16 08:32:18 +0000
@@ -33,6 +33,10 @@
33.. Fixes for situations where bzr would previously crash or give incorrect33.. Fixes for situations where bzr would previously crash or give incorrect
34 or undesirable results.34 or undesirable results.
3535
36* Disable ssl certificate verification on osx and windows until a native
37 access to the the root certificates is provided there.
38 (Vincent Ladeuil, #929179)
39
36Documentation40Documentation
37*************41*************
3842

Subscribers

People subscribed via source and target branches