Rev 6461: Get rid of 'optional' for ssl.ca_reqs to simplify the model. in file:///home/vila/src/bzr/bugs/920455-ssl-defaults/
Vincent Ladeuil
v.ladeuil+lp at free.fr
Tue Jan 31 11:39:31 UTC 2012
At file:///home/vila/src/bzr/bugs/920455-ssl-defaults/
------------------------------------------------------------
revno: 6461
revision-id: v.ladeuil+lp at free.fr-20120131113929-tp9m9h2uhtbwx3c5
parent: v.ladeuil+lp at free.fr-20120129110636-w1rp0qq0a75vfacr
committer: Vincent Ladeuil <v.ladeuil+lp at free.fr>
branch nick: 920455-ssl-defaults
timestamp: Tue 2012-01-31 12:39:29 +0100
message:
Get rid of 'optional' for ssl.ca_reqs to simplify the model.
-------------- next part --------------
=== modified file 'bzrlib/tests/test_https_urllib.py'
--- a/bzrlib/tests/test_https_urllib.py 2012-01-25 14:27:22 +0000
+++ b/bzrlib/tests/test_https_urllib.py 2012-01-31 11:39:29 +0000
@@ -67,8 +67,6 @@
def test_from_string(self):
stack = config.MemoryStack("ssl.cert_reqs = none\n")
self.assertEquals(ssl.CERT_NONE, stack.get("ssl.cert_reqs"))
- stack = config.MemoryStack("ssl.cert_reqs = optional\n")
- self.assertEquals(ssl.CERT_OPTIONAL, stack.get("ssl.cert_reqs"))
stack = config.MemoryStack("ssl.cert_reqs = required\n")
self.assertEquals(ssl.CERT_REQUIRED, stack.get("ssl.cert_reqs"))
stack = config.MemoryStack("ssl.cert_reqs = invalid\n")
=== modified file 'bzrlib/transport/http/_urllib2_wrappers.py'
--- a/bzrlib/transport/http/_urllib2_wrappers.py 2012-01-29 11:06:36 +0000
+++ b/bzrlib/transport/http/_urllib2_wrappers.py 2012-01-31 11:39:29 +0000
@@ -77,7 +77,7 @@
# Note for packagers: if there is no package providing certs for your platform,
# the curl project produces http://curl.haxx.se/ca/cacert.pem weekly.
-ssl_ca_certs_known_locations = [
+_ssl_ca_certs_known_locations = [
u'/etc/ssl/certs/ca-certificates.crt', # Ubuntu/debian/gentoo
u'/etc/pki/tls/certs/ca-bundle.crt', # Fedora/CentOS/RH
u'/etc/ssl/ca-bundle.pem', # OpenSuse
@@ -100,13 +100,13 @@
else:
# Try known locations for friendly OSes providing the root certificates
# without making them hard to use for any https client.
- for path in ssl_ca_certs_known_locations:
+ for path in _ssl_ca_certs_known_locations:
if os.path.exists(path):
# First found wins
return path
# A default path that makes sense and will be mentioned in the error
# presented to the user, even if not correct for all platforms
- return ssl_ca_certs_known_locations[0]
+ return _ssl_ca_certs_known_locations[0]
def ca_certs_from_store(path):
@@ -120,7 +120,6 @@
try:
return {
"required": ssl.CERT_REQUIRED,
- "optional": ssl.CERT_OPTIONAL,
"none": ssl.CERT_NONE
}[unicode_str]
except KeyError:
@@ -144,8 +143,7 @@
Possible values:
* none: Certificates ignored
- * optional: Certificates not required, but validated if provided
- * required: Certificates required, and validated
+ * required: Certificates required and validated
""")
checked_kerberos = False
@@ -495,9 +493,8 @@
"-Ossl.cert_reqs=none. See ``bzr help ssl.ca_certs`` for "
"more information on specifying trusted CA certificates.")
raise
- peer_cert = ssl_sock.getpeercert()
- if (cert_reqs == ssl.CERT_REQUIRED or
- (cert_reqs == ssl.CERT_OPTIONAL and peer_cert)):
+ if cert_reqs == ssl.CERT_REQUIRED:
+ peer_cert = ssl_sock.getpeercert()
match_hostname(peer_cert, self.host)
# Wrap the ssl socket before anybody use it
More information about the bazaar-commits
mailing list