Rev 6491: (gz) Use correct host name for checking certificates when using a proxy for in file:///srv/pqm.bazaar-vcs.org/archives/thelove/bzr/2.5/

Patch Queue Manager pqm at pqm.ubuntu.com
Mon Mar 12 18:34:05 UTC 2012 

At file:///srv/pqm.bazaar-vcs.org/archives/thelove/bzr/2.5/

------------------------------------------------------------
revno: 6491 [merge]
revision-id: pqm at pqm.ubuntu.com-20120312183404-r5kf7ug5so2xmski
parent: pqm at pqm.ubuntu.com-20120312180647-mkadzywe7jc178lr
parent: martin.packman at canonical.com-20120312172004-i89m5mygc8prunro
committer: Patch Queue Manager <pqm at pqm.ubuntu.com>
branch nick: 2.5
timestamp: Mon 2012-03-12 18:34:04 +0000
message:
  (gz) Use correct host name for checking certificates when using a proxy for
   https (Martin Packman)
modified:
  bzrlib/transport/http/_urllib2_wrappers.py _urllib2_wrappers.py-20060913231729-ha9ugi48ktx481ao-1
  doc/en/release-notes/bzr-2.5.txt bzr2.5.txt-20110708125756-587p0hpw7oke4h05-1
=== modified file 'bzrlib/transport/http/_urllib2_wrappers.py'
--- a/bzrlib/transport/http/_urllib2_wrappers.py	2012-02-21 12:16:02 +0000
+++ b/bzrlib/transport/http/_urllib2_wrappers.py	2012-03-09 17:29:54 +0000
@@ -476,9 +476,12 @@
         # FIXME JRV 2011-12-18: Use location config here?
         config_stack = config.GlobalStack()
         cert_reqs = config_stack.get('ssl.cert_reqs')
+        if self.proxied_host is not None:
+            host = self.proxied_host.split(":", 1)[0]
+        else:
+            host = self.host
         if cert_reqs == ssl.CERT_NONE:
-            trace.warning("Not checking SSL certificate for %s: %d",
-                self.host, self.port)
+            trace.warning("Not checking SSL certificate for %s", host)
             ca_certs = None
         else:
             if self.ca_certs is None:
@@ -503,7 +506,7 @@
             raise
         if cert_reqs == ssl.CERT_REQUIRED:
             peer_cert = ssl_sock.getpeercert()
-            match_hostname(peer_cert, self.host)
+            match_hostname(peer_cert, host)
 
         # Wrap the ssl socket before anybody use it
         self._wrap_socket_for_reporting(ssl_sock)

=== modified file 'doc/en/release-notes/bzr-2.5.txt'
--- a/doc/en/release-notes/bzr-2.5.txt	2012-03-12 14:44:51 +0000
+++ b/doc/en/release-notes/bzr-2.5.txt	2012-03-12 18:34:04 +0000
@@ -32,6 +32,10 @@
 .. Fixes for situations where bzr would previously crash or give incorrect
    or undesirable results.
 
+* Connecting with HTTPS via HTTP now correctly uses the host name of the
+  destination rather than the proxy when checking certificates.
+  (Martin Packman, #944696)
+
 * Fixed merge tool availability checking and invocation to search the
   Windows App Path registry in addition to the PATH. (Gordon Tyler, #939605)

More information about the bazaar-commits mailing list