Bazaar Mac Installers

ssl cert verification needs better defaults for all supported platforms

Bug #920455 reported by Vincent Ladeuil on 2012-01-23
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bazaar
Fix Released
High
Vincent Ladeuil
Bazaar 2.5b6
Bazaar Mac Installers
Confirmed
High
Unassigned
Bazaar Windows Installers
Confirmed
High
Unassigned
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

While the "/etc/ssl/certs/ca-certificates.crt" default value for the ssl.ca_certs config option is ok for Ubuntu/Debian/Gentoo, we want to add some platform specific values.

A quick google search gives:

freebsd: /usr/local/share/certs/ca-root-nss.crt

fedora/rh: /etc/pki/tls/certs/ca-bundle.crt

opensuse/sle: /etc/ssl/ca-bundle.pem

osx: the certificates are stored in the system key chain, not sure how to proceed there, either we find a way to access them directly or we should provide a script or a recipe to extract/update them.

windows: IIRC we already provide some bundle for pycurl that we can reuse

We probably want to fix this before 2.5.0 is out so marking high (critical seems too much).

Related branches

lp:~vila/bzr/920455-ssl-defaults
Martin Packman (community): Approve on 2012-01-31
Gordon Tyler: Pending requested 2012-01-30
Jelmer Vernooij: Pending requested 2012-01-30
Diff: 242 lines (+67/-47) (has conflicts)
4 files modified
bzrlib/errors.py (+2/-1)
bzrlib/tests/test_https_urllib.py (+8/-17)
bzrlib/transport/http/_urllib2_wrappers.py (+50/-29)
doc/en/release-notes/bzr-2.5.txt (+7/-0)
Vincent Ladeuil (vila) wrote :

Adding bzr-windows-installer to keep track of which path is needed/used/tested.

Changed in bzr-windows-installers:
importance: Undecided → High
status: New → Confirmed
Vincent Ladeuil (vila) wrote :

Adding bzr-mac-installer to keep track of which path is needed/used/tested.

Changed in bzr-mac-installers:
importance: Undecided → High
status: New → Confirmed
Vincent Ladeuil (vila) on 2012-01-31
Changed in bzr:
milestone: none → 2.5b6
status: Confirmed → Fix Released
Martin Pool (mbp) wrote :

There's a somewhat different, related, bug, which is that on osx and windows, there may not be a single file we need to read, but rather there's an api we need to call.

What we can do as a stop gap is to add an option that disables verification only when there are no trusted certificates.

Vincent Ladeuil (vila) wrote :

I've filed bug #932647 and bug #932648 for windows and osx so the long term solution can be tracked.

Bug #929179 takes care of disabling the sll verification for these platforms.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers