ssl cert verification needs better defaults for all supported platforms

Bug #920455 reported by Vincent Ladeuil
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bazaar
Fix Released
High
Vincent Ladeuil
Bazaar Mac Installers
Confirmed
High
Unassigned
Bazaar Windows Installers
Confirmed
High
Unassigned

Bug Description

While the "/etc/ssl/certs/ca-certificates.crt" default value for the ssl.ca_certs config option is ok for Ubuntu/Debian/Gentoo, we want to add some platform specific values.

A quick google search gives:

freebsd: /usr/local/share/certs/ca-root-nss.crt

fedora/rh: /etc/pki/tls/certs/ca-bundle.crt

opensuse/sle: /etc/ssl/ca-bundle.pem

osx: the certificates are stored in the system key chain, not sure how to proceed there, either we find a way to access them directly or we should provide a script or a recipe to extract/update them.

windows: IIRC we already provide some bundle for pycurl that we can reuse

We probably want to fix this before 2.5.0 is out so marking high (critical seems too much).

Related branches

Revision history for this message
Vincent Ladeuil (vila) wrote :

Adding bzr-windows-installer to keep track of which path is needed/used/tested.

Changed in bzr-windows-installers:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Vincent Ladeuil (vila) wrote :

Adding bzr-mac-installer to keep track of which path is needed/used/tested.

Changed in bzr-mac-installers:
importance: Undecided → High
status: New → Confirmed
Vincent Ladeuil (vila)
Changed in bzr:
milestone: none → 2.5b6
status: Confirmed → Fix Released
Revision history for this message
Martin Pool (mbp) wrote :

There's a somewhat different, related, bug, which is that on osx and windows, there may not be a single file we need to read, but rather there's an api we need to call.

What we can do as a stop gap is to add an option that disables verification only when there are no trusted certificates.

Revision history for this message
Vincent Ladeuil (vila) wrote :

I've filed bug #932647 and bug #932648 for windows and osx so the long term solution can be tracked.

Bug #929179 takes care of disabling the sll verification for these platforms.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.