Rev 6458: Provide default paths for ca certs for supported platforms in file:///home/vila/src/bzr/bugs/920455-ssl-defaults/
Vincent Ladeuil
v.ladeuil+lp at free.fr
Wed Jan 25 14:27:22 UTC 2012
At file:///home/vila/src/bzr/bugs/920455-ssl-defaults/
------------------------------------------------------------
revno: 6458
revision-id: v.ladeuil+lp at free.fr-20120125142722-vo8wsx6hsccvmeby
parent: pqm at pqm.ubuntu.com-20120123174145-flb09hzz5l5gjods
fixes bug: https://launchpad.net/bugs/920455
committer: Vincent Ladeuil <v.ladeuil+lp at free.fr>
branch nick: 920455-ssl-defaults
timestamp: Wed 2012-01-25 15:27:22 +0100
message:
Provide default paths for ca certs for supported platforms
-------------- next part --------------
=== modified file 'bzrlib/tests/test_https_urllib.py'
--- a/bzrlib/tests/test_https_urllib.py 2012-01-19 15:27:47 +0000
+++ b/bzrlib/tests/test_https_urllib.py 2012-01-25 14:27:22 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2011 Canonical Ltd
+# Copyright (C) 2011,2012 Canonical Ltd
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -41,18 +41,10 @@
def get_stack(self, content):
return config.MemoryStack(content.encode('utf-8'))
- def test_default_raises_value_error(self):
- stack = self.get_stack("")
- self.overrideAttr(_urllib2_wrappers, "DEFAULT_CA_PATH",
- "/i-do-not-exist")
- self.assertRaises(ValueError, stack.get, 'ssl.ca_certs')
-
def test_default_exists(self):
- self.build_tree(['cacerts.pem'])
+ """Check that the default we provide exists for the tested platform."""
stack = self.get_stack("")
- path = os.path.join(self.test_dir, "cacerts.pem")
- self.overrideAttr(_urllib2_wrappers, "DEFAULT_CA_PATH", path)
- self.assertEquals(path, stack.get('ssl.ca_certs'))
+ self.assertPathExists(stack.get('ssl.ca_certs'))
def test_specified(self):
self.build_tree(['cacerts.pem'])
@@ -63,15 +55,7 @@
def test_specified_doesnt_exist(self):
path = os.path.join(self.test_dir, "nonexisting.pem")
stack = self.get_stack("ssl.ca_certs = %s\n" % path)
- self.warnings = []
- def warning(*args):
- self.warnings.append(args[0] % args[1:])
- self.overrideAttr(trace, 'warning', warning)
- self.assertEquals(_urllib2_wrappers.DEFAULT_CA_PATH,
- stack.get('ssl.ca_certs'))
- self.assertLength(1, self.warnings)
- self.assertContainsRe(self.warnings[0],
- "is not valid for \"ssl.ca_certs\"")
+ self.assertRaises(ConfigOptionValueError, stack.get, 'ssl.ca_certs')
class CertReqsConfigTests(TestCaseInTempDir):
=== modified file 'bzrlib/transport/http/_urllib2_wrappers.py'
--- a/bzrlib/transport/http/_urllib2_wrappers.py 2012-01-20 09:19:14 +0000
+++ b/bzrlib/transport/http/_urllib2_wrappers.py 2012-01-25 14:27:22 +0000
@@ -1,4 +1,4 @@
-# Copyright (C) 2006-2011 Canonical Ltd
+# Copyright (C) 2006-2012 Canonical Ltd
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -74,14 +74,40 @@
import ssl
""")
-DEFAULT_CA_PATH = u"/etc/ssl/certs/ca-certificates.crt"
+# Note for packagers: if there is no package providing certs for your platform,
+# the curl project produces http://curl.haxx.se/ca/cacert.pem weekly.
def default_ca_certs():
- if not os.path.exists(DEFAULT_CA_PATH):
- raise ValueError("default ca certs path %s does not exist" %
- DEFAULT_CA_PATH)
- return DEFAULT_CA_PATH
+ # A default path that makes sense, even if not correct for all platforms
+ path = u"/etc/ssl/certs/ca-certificates.crt"
+ if sys.platform.startswith('linux'):
+ # Try some known locations
+ for p in (u'/etc/ssl/certs/ca-certificates.crt', # Ubuntu/debian
+ u'/etc/pki/tls/certs/ca-bundle.crt', # Fedora/CentOS/RH
+ u'/etc/ssl/ca-bundle.pem', # OpenSuse
+ ):
+ if os.path.exists(p):
+ # First found wins
+ return path
+ if "bsd" in sys.platform:
+ # Our best bet is to rely on ca_root_nss being installed
+ path = u"/usr/local/share/certs/ca-root-nss.crt"
+ elif sys.platform == 'win32':
+ # FIXME: We could reuse bzrlib.transport.http.ca_bundle but import that
+ # here sounds... too hackish. Waiting for the windows installer guys
+ # feedback on which path to use -- vila 2012-01-25
+ pass
+ elif sys.platform == 'darwin':
+ # FIXME: Needs some default value for osx, waiting for osx installers
+ # guys feedback -- vila 2012-01-25
+ pass
+ elif sys.platform == 'sunos5':
+ # XXX: Needs checking, can't trust the interweb ;) -- vila 2012-01-25
+ path = u'/etc/openssl/certs/ca-certificates.crt'
+ if not os.path.exists(path):
+ raise ValueError("default ca certs path %s does not exist" % path)
+ return path
def ca_certs_from_store(path):
@@ -90,10 +116,6 @@
return path
-def default_cert_reqs():
- return u"required"
-
-
def cert_reqs_from_store(unicode_str):
import ssl
try:
@@ -109,13 +131,13 @@
opt_ssl_ca_certs = config.Option('ssl.ca_certs',
from_unicode=ca_certs_from_store,
default=default_ca_certs,
- invalid='warning',
+ invalid='error',
help="""\
Path to certification authority certificates to trust.
""")
opt_ssl_cert_reqs = config.Option('ssl.cert_reqs',
- default=default_cert_reqs,
+ default=u"required",
from_unicode=cert_reqs_from_store,
invalid='error',
help="""\
@@ -448,15 +470,16 @@
def connect_to_origin(self):
# FIXME JRV 2011-12-18: Use location config here?
config_stack = config.GlobalStack()
- if self.ca_certs is None:
- ca_certs = config_stack.get('ssl.ca_certs')
- else:
- ca_certs = self.ca_certs
cert_reqs = config_stack.get('ssl.cert_reqs')
if cert_reqs == ssl.CERT_NONE:
trace.warning("not checking SSL certificates for %s: %d",
self.host, self.port)
+ ca_certs = None
else:
+ if self.ca_certs is None:
+ ca_certs = config_stack.get('ssl.ca_certs')
+ else:
+ ca_certs = self.ca_certs
if ca_certs is None:
trace.warning(
"no valid trusted SSL CA certificates file set. See "
=== modified file 'doc/en/release-notes/bzr-2.5.txt'
--- a/doc/en/release-notes/bzr-2.5.txt 2012-01-20 16:42:27 +0000
+++ b/doc/en/release-notes/bzr-2.5.txt 2012-01-25 14:27:22 +0000
@@ -47,6 +47,10 @@
* ``bzr branch`` now fetches revisions when branching into an empty
control directory. (Jelmer Vernooij, #905594)
+* A sane default is provided for ``ssl.ca_certs`` which should points to the
+ Certificate Authority bundle for supported platforms.
+ (Vincent Ladeuil, #920455)
+
* Support scripts that don't call bzrlib.initialize() but still call run_bzr().
(Vincent Ladeuil, #917733)
More information about the bazaar-commits
mailing list