ssl cert verification needs better defaults for all supported platforms
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| Bazaar |
High
|
Vincent Ladeuil | ||
| Bazaar Mac Installers |
High
|
Unassigned | ||
| Bazaar Windows Installers |
High
|
Unassigned |
Bug Description
While the "/etc/ssl/
A quick google search gives:
freebsd: /usr/local/
fedora/rh: /etc/pki/
opensuse/sle: /etc/ssl/
osx: the certificates are stored in the system key chain, not sure how to proceed there, either we find a way to access them directly or we should provide a script or a recipe to extract/update them.
windows: IIRC we already provide some bundle for pycurl that we can reuse
We probably want to fix this before 2.5.0 is out so marking high (critical seems too much).
Related branches
- Martin Packman (community): Approve on 2012-01-31
- Gordon Tyler: Pending requested 2012-01-30
- Jelmer Vernooij: Pending requested 2012-01-30
-
Diff: 242 lines (+67/-47) (has conflicts)4 files modifiedbzrlib/errors.py (+2/-1)
bzrlib/tests/test_https_urllib.py (+8/-17)
bzrlib/transport/http/_urllib2_wrappers.py (+50/-29)
doc/en/release-notes/bzr-2.5.txt (+7/-0)
Vincent Ladeuil (vila) wrote : | #1 |
Changed in bzr-windows-installers: | |
importance: | Undecided → High |
status: | New → Confirmed |
Vincent Ladeuil (vila) wrote : | #2 |
Adding bzr-mac-installer to keep track of which path is needed/used/tested.
Changed in bzr-mac-installers: | |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in bzr: | |
milestone: | none → 2.5b6 |
status: | Confirmed → Fix Released |
Martin Pool (mbp) wrote : | #3 |
There's a somewhat different, related, bug, which is that on osx and windows, there may not be a single file we need to read, but rather there's an api we need to call.
What we can do as a stop gap is to add an option that disables verification only when there are no trusted certificates.
Vincent Ladeuil (vila) wrote : | #4 |
I've filed bug #932647 and bug #932648 for windows and osx so the long term solution can be tracked.
Bug #929179 takes care of disabling the sll verification for these platforms.
Adding bzr-windows- installer to keep track of which path is needed/used/tested.